After killing myself to try and work out what throws this bad request (400)
error when filebrowser-safe is installed and when MEDIA_ROOT is set to non
''. I finally (through blood sweat and tears), worked out that it comes
from the "safe_join" function of the django-storages s3boto.py. Because I
have a custom storage class with 'location="media"' for media files, and
another with "location = "static"' for static files (to ensure static and
media are in sep dirs in the bucket), the safe_join function uses "media"
as the base dir. It finds that the path to the uploads dir is wherever I
set it in 'MEDIA_ROOT' and it doesn't like it (it's trying to prevent users
from uploading outside the MEDIA_ROOT of course). The exception is when
MEDIA_ROOT = '' or '/'.
if (not final_path.startswith(base_path) or
final_path[base_path_len:base_path_len + 1] not in ('', '/')):
raise ValueError('the joined path is located outside of the base
path'
' component')
This ValueError is caught by
_normalize_name and traded for a "Supicious Operation".
Finally this gets caught by
`django.core.handlers.base.BaseHandler.get_response`, which if you have logging
turned on logs the suspicious operation
"As attempt to access dir denied" (I didnt). It then just sends this to a "Bad
request (400)" so the user is left blind. It's almost the same
as this https://code.djangoproject.com/ticket/21668#no2.
It is filebrowser-safe's get_directory, that calls isdir (of the
S3BotoStorageMixin) that calls isfile, that calls
_normalize_name of s3Botostorage, that finally calls safe_join. Hence why I
only saw the problem when filebrowser-safe was installed.
--
You received this message because you are subscribed to the Google Groups
"Mezzanine Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to mezzanine-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
