#30004: Document TemporaryUploadedFile potential permission issues
-------------------------------------+-------------------------------------
     Reporter:  Evgeny Arshinov      |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  2.1
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Evgeny Arshinov):

 Thank you Tim, this is precisely what I was looking for! I can only see
 one issue with the current docs (if you excuse me for bothering you with
 such minor details). [https://docs.djangoproject.com/en/2.1/ref/settings
 /#file-upload-permissions The documentation] for the
 FILE_UPLOAD_PERMISSIONS setting reads:

 > If this isn’t given or is None, you’ll get operating-system dependent
 behavior. On most platforms, temporary files will have a mode of 0o600,
 and files saved from memory will be saved using the system’s standard
 umask.

 As I would understand this text, only temporary files get a mode of 0o600.
 I would then ask myself: "Why should I care about temporary files, they
 should be gone anyway after the file is uploaded?" and skip setting
 FILE_UPLOAD_PERMISSIONS. What is important but is not properly conveyed to
 the user is that not only temporary files themselves, but also the actual
 files which end up in the media folder get permissions of 0o600.

 Currently a developer can only discover this either by careful reading of
 the Deployment checklist page (`manage.py check --deploy` does not seem to
 check `FILE_UPLOAD_PERMISSIONS`) or by hitting the inconsistent
 permissions accidentally (like I did).

 I propose to unify the docs for `FILE_UPLOAD_PERMISSINS` on the Settings
 page and the Deployment checklist page like this:
 https://gist.github.com/earshinov/0340f741189a14d4fd10e3e902203ad6/revisions
 #diff-14151589d5408f8b64b7e0e580770f0e

 Pros:
 1. It makes more clear that one gets different permissions for the
 *uploaded* files.
 2. It makes the docs more unified and thus easier to synchronously change
 in the future if/when required.

 I recognize that my edits might seem too minor and insignificant to be
 worth the hassle of editing the docs, committing, re-publishing them etc.,
 but still I hope you will find them useful enough to be integrated into
 the official docs.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30004#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.8eaeb2f809a780601533d72777724e9e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to