Re: Default upload permissions
I like this solution, as it applies the fix for new things moving forward with no change in behavior to cause problem for existing tweaked in sites. The most likely time to run in to this problem is, in my opinion, is when varying platforms or starting fresh projects. Once settled in to a project/platform combination, minor OS and platform feature patches, etc. are are unlikely to change behavior. On Friday, December 7, 2018 at 11:04:21 AM UTC-5, René Fleschenberg wrote: > > Hi, > > On 12/5/18 9:54 AM, Carlton Gibson wrote: > > *Proposal*: we should change the default for FILE_UPLOAD_PERMISSION to > > 0o644 (or maybe 0o664), and document that as a backward incompatible > > change. This would be correct for almost all users. If you're > > deliberately leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy > > switch back to the current behaviour. > As someone who wasted a couple of hours because of the current behavior, > I am very much in favor of this. > > The second-best solution in my opinion would be to have ``manage.py > startproject`` explicitly write the setting, either as 0o644 or as 0o600. > > -- > René Fleschenberg > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a8ea6c6b-b04c-4160-b707-dfccd816526c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Default upload permissions
Hi, On 12/5/18 9:54 AM, Carlton Gibson wrote: > *Proposal*: we should change the default for FILE_UPLOAD_PERMISSION to > 0o644 (or maybe 0o664), and document that as a backward incompatible > change. This would be correct for almost all users. If you're > deliberately leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy > switch back to the current behaviour. As someone who wasted a couple of hours because of the current behavior, I am very much in favor of this. The second-best solution in my opinion would be to have ``manage.py startproject`` explicitly write the setting, either as 0o644 or as 0o600. -- René Fleschenberg -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/97d123f7-cf49-0dae-5c2f-171cf421bea7%40fleschenberg.net. For more options, visit https://groups.google.com/d/optout.
Re: Default upload permissions
Hi all, This has come up again. So proposal below. https://code.djangoproject.com/ticket/30004 "Document TemporaryUploadedFile potential permission issues" Issue is that, with the default settings, you get 0o644 permissions for "small" files and 0o600 permissions for "big" ones. (Depending on which upload handler is used.) History: * Claude and I discussed this a bit. * We are agreed the inconsistent default isn't great. * We noted just setting FILE_UPLOAD_PERMISSION solves this. * Given FILE_UPLOAD_PERMISSION = None, Claude suggested a patch which would "guess" the permissions to use from the process umask. * I didn't like this: * too clever, and ultimately not our business. * Would work for default settings but get in the way once you started using the related file upload settings. (And so would need an opt-out.) * In the end we just added a note to the deployment checklist. This wasn't good enough. (Clearly.) *Proposal*: we should change the default for FILE_UPLOAD_PERMISSION to 0o644 (or maybe 0o664), and document that as a backward incompatible change. This would be correct for almost all users. If you're deliberately leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy switch back to the current behaviour. Can I ask you to comment? Thanks. Kind Regards, Carlton -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d3ce3fba-340a-4379-9449-80e0c06f6aa1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
