If you are using apache. you can simple disable the indexing of files.
in your apache conf directory directive.
This will give forbidden 403 if u try to access the directory from apache.
hence no files are seen.
<Directory /home/directory/ >
Options -Indexes
</Directory>
I hope this helps.
Regards
//Vikalp
2010/11/11 Łukasz Rekucki <lreku...@gmail.com>
> On 11 November 2010 03:19, andy <flowar...@gmail.com> wrote:
> > Django recommends saving images to the file system since this gives
> > better performance than storing the files in a database. However I
> > don't seen any documentation on how to restrict access to those files
> > by user. If someone knows the url to your image directory they could
> > possibly view all the content of that directory. If you create a
> > social network or a multi tenant application how will you handle this
> > issue?
> >
> > While writing this up I learned about preventing directory listing, is
> > this secure enough. how about obfuscating file or directory names.
>
> This largely depends on what your HTTP server can do, but with Apache
> you can use the X-Sendfile header. This works like this:
>
> 0. Install mod_xsendfile and put "XSendFile On" in your Apache config.
> See also [1].
>
> 1. Instead of putting the images in a location with all the other
> media, put it in a protected location - one which the server can read,
> but not associated with any Location.
>
> 2. Create a view that will check permissions for a given file. As a
> response return an empty HttpResponse with "X-Sendfile" header
> containing the full filesystem path of the file to be server, or a 403
> if the person is not permitted.
>
> 3. Apache will look at the response for X-Sendfile header and if
> present the file that the header points to will be server as a
> response instead.
>
> This way you can check permission in your Django app, while still
> having the speed of serving static files directly by HTTP server. A
> similar solution is also availble for nginx[2] and probably other
> webservers.
>
> [1]: https://tn123.org/mod_xsendfile/
> [2]: http://wiki.nginx.org/NginxXSendfile
>
> --
> Łukasz Rekucki
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-us...@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com<django-users%2bunsubscr...@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
