Authentication for static files
392 vues
Accéder directement au premier message non lu
Ben Davis
26 sept. 2009, 13:08:1526/09/2009
à django...@googlegroups.com
I would like to be able to serve files that were uploaded via the admin site; for example, when someone clicks on the "Currently:" file link in the changeform. However, I also have the following requirements:
I've seen this documentation: http://docs.djangoproject.com/en/dev/howto/apache-auth/, but it deals with mod_python, and I'm using mod_wsgi, so I'm not sure if that will work. Also, I'm not sure if that solution meets requirement #2.
Any ideas?
- The file should only be accessible when authenticated via django's auth system
- Clicking the file link should not present an already authenticated user with another authentication challenge
I've seen this documentation: http://docs.djangoproject.com/en/dev/howto/apache-auth/, but it deals with mod_python, and I'm using mod_wsgi, so I'm not sure if that will work. Also, I'm not sure if that solution meets requirement #2.
Any ideas?
Graham Dumpleton
27 sept. 2009, 00:16:1327/09/2009
à Django users
On Sep 27, 3:08 am, Ben Davis <bendavi...@gmail.com> wrote:
> I would like to be able to serve files that were uploaded via the admin
> site; for example, when someone clicks on the "Currently:" file link in the
> changeform. However, I also have the following requirements:
>
> auth system
> 2. Clicking the file link should not present an already authenticated
> user with another authentication challenge
>
> I'm currently using a custom FileSystemStorage location and base_url for
> files that should be only accessible via the admin.
>
> I've seen this documentation:http://docs.djangoproject.com/en/dev/howto/apache-auth/, but it deals with
> mod_python, and I'm using mod_wsgi, so I'm not sure if that will work.
> Also, I'm not sure if that solution meets requirement #2.
>
> Any ideas?
The mod_wsgi equivalent of that page is at:
>
> I'm currently using a custom FileSystemStorage location and base_url for
> files that should be only accessible via the admin.
>
> I've seen this documentation:http://docs.djangoproject.com/en/dev/howto/apache-auth/, but it deals with
> mod_python, and I'm using mod_wsgi, so I'm not sure if that will work.
> Also, I'm not sure if that solution meets requirement #2.
>
> Any ideas?
http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
Neither will help you though as they implement Basic/Digest
authentication which is distinct from Django form/session based
authentication and would as a result prompt for credentials again.
Graham
Ben Davis
27 sept. 2009, 13:31:1527/09/2009
à django...@googlegroups.com
Actually, I just found out about the X-Sendfile header which I think might solve this problem. It basically allows you to set the HttpResponse content to an empty string, but the X-Sendfile header tells apache to send a file from the filesystem, so apache handles the actual serving of the file, but it still allows you to do preprocessing beforehand. I'll probably just override django.views.static.serve to support this, and use the X-Sendfile header when in production mode.
Répondre à tous
Répondre à l'auteur
Transférer
0 nouveau message