Re: Securing files held by FileField.
Thanks a lot, Javier! There were a few caveats to getting this to work for me, but I've gotten there, finally! For anyone else who wants to use this solution, check out this posting by a bloke named Andre, who was extremely helpful when I emailed him asking for a bit of a hand: http://andre.liquidmm.com/blog/2009/mar/24/secure-downloads/ Also, here is the homepage for the module: http://tn123.ath.cx/mod_xsendfile/ And here is a .deb for all you Debian based people: http://www.screenage.de/blog/2008/02/22/libapache2-mod-xsendfile-processes-x-sendfile-headers-with-apache2/ One extra note: if you are going above your DocumentRoot, you must use XSendFileAllowAbove On - for some reason I thought this was optional, and it caused me a couple of hours of 404s. Of course, Andre was helpful in helping realise my silliness. So, thanks to you all. This finishes my project for me =D Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Securing files held by FileField.
Thanks to both of you for the advice - Ben, yours seems to be like a step four to Javier's solution. I like it, but will only say I'll maybe try it once I've got the serving done Javier's way. Javier, could you post some example code? I'm pretty sure this is bang- on what I want, although as I said, I'm using apache. Cheers, Brenton. On Aug 13, 3:10 pm, BenW wrote: > If you want to prevent hotlinking to your documents or illicit access, > then I would suggest writing a view that generates a unique URL per > access. For instance, a user hits your view, they get a randomly > generated link to access the file. You store that random link in > their session as a one-to-one mapping to the pk of the file they want > to download -- then you have a url/view that will take that random > link and lookup the file. Afterward that random link is purged from > their session. Of course, this also means that Django would have to > either serve the file itself, or you would have to rename the file on > disk after every access .. which would be lame. > > On Aug 13, 11:00 am, stupidgeek wrote: > > > Hi there, > > > So I'm practically done with my first django site (i've worked with > > PHP for years, and I'm so glad I found django), but I am having some > > trouble with securing files; let me explain: > > > I've written a faculty review system, with tight checks on access for > > reviews, based on committees, etc. Each review contains a document, > > held by a models.FileField, and I would like to restrict access to the > > file; ie not put it under my DocumentRoot (/var/www), so that it can > > only be accessed from within django only (and, of course, access will > > be limited by my views). > > > Is this possible? As far as I understand, when you access a FileField, > > you get back the filename, which you then use somehow to link to it. > > This of course means that the file must be under the document root, > > which doesn't secure it for me (as anyone with the URL will be able to > > access it) - this is NOT an option. > > > I'd be happy if someone could even link me to relevant docs. > > > Thanks, > > Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Securing files held by FileField.
Hi there, So I'm practically done with my first django site (i've worked with PHP for years, and I'm so glad I found django), but I am having some trouble with securing files; let me explain: I've written a faculty review system, with tight checks on access for reviews, based on committees, etc. Each review contains a document, held by a models.FileField, and I would like to restrict access to the file; ie not put it under my DocumentRoot (/var/www), so that it can only be accessed from within django only (and, of course, access will be limited by my views). Is this possible? As far as I understand, when you access a FileField, you get back the filename, which you then use somehow to link to it. This of course means that the file must be under the document root, which doesn't secure it for me (as anyone with the URL will be able to access it) - this is NOT an option. I'd be happy if someone could even link me to relevant docs. Thanks, Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Strange problem with LDAP authentication backend
David, you are a champ, thank you. I find it strange that this made the difference, since this line is in the docs: "The get_user method takes a user_id -- which could be a username, database ID or whatever -- and returns a User object." But, making the change to user_id worked just fine. For eveyone's reference, here is a working (simple) backend for an open directory server, using sasl cram_md5, with a self-signed certificate: from django.contrib.auth.models import User import ldap import ldap.sasl class LDAPBackend: def authenticate(self, username=None, password=None): if username and password: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) directory = 'ldaps://MYSERVERURL' base_dn = 'MYBASEDN' scope = ldap.SCOPE_SUBTREE con = ldap.initialize (directory) auth_tokens = ldap.sasl.cram_md5(username, password) try: con.sasl_interactive_bind_s("", auth_tokens) except ldap.LDAPError: return None con.unbind() try: user = User.objects.get (username=username) print user return user except User.DoesNotExist: return None def get_user(self, user_id): try: user = User.objects.get (id=user_id) return user except User.DoesNotExist: return None Many thanks again to David and Peter. Brenton. On Aug 12, 12:31 pm, David De La Harpe Golden wrote: > stupidgeek wrote: > > def get_user(self, username): > > try: > > user = User.objects.get(username=username) > > print user > > return user > > except User.DoesNotExist: > > return None > > Note part of the auth backend protocol AFAICS involves calling > get_user() itself* (not just authenticate()), and it is expected to take > a user_id arg, not username, i.e. you very likely need it to be: > > def get_user(self, user_id): > try: > return User.objects.get(pk=user_id) > except User.DoesNotExist: > return None > > * django/contrib/auth/__init__.py --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Strange problem with LDAP authentication backend
Hi Peter, Thanks for your input, but I am afraid to say that you are indeed wrong =( Ha. The user that I am trying to login as (me) has superuser premissions; by no errors, I mean that I get a plain login form - no red box telling me something went wrong. Thanks again for the input, and I'll grab a look at your app if I have time, although I can't promise to be of much help, as I had help from my department's LDAP guy to get the sasl bind working. Meanwhile, the mystery continues - any other suggestions, folks? On Aug 12, 11:48 am, Peter Herndon wrote: > On 08/12/2009 11:17 AM, stupidgeek wrote: > > > > > Hi all, > > > I'm having a strange problem. I wrote a basic LDAP backend, to > > authenticate users against our open directory server: > > > [snip] > > > Note that the print user line works, so a valid user is being > > returned, meaning the bind works just fine. > > > The problem I am getting is that the GET /admin/ is returning me to > > the login form, without any errors, over and over. A login using a > > user from the django db works without a problem. > > > Any suggestions? > > Hi Brenton, > > Your GET /admin/ is returning "without any errors". By that, do you > mean that it is sending you back to the login form and telling you to > input a *correct* username and password? If so, the thing I ran into > with this is that the django.contrib.auth.models.User model has two > attributes, is_staff and is_superuser. If you are NOT setting at least > is_staff = True, then your user is not allowed to access the admin, > period, and you'll never get past the login screen. If you go into > /admin/ as an actual admin user, you'll likely see your user created in > the Users section, but with no staff or superuser permissions. > > I actually very recently wrote an app to help with this sort of > thing,http://code.google.com/p/django-ldap-groups/, though I haven't targeted > Open Directory or LDAP servers using SASL auth. I'd be happy to work > with you to add Open Directory to the list of supported servers. > > It is very new (about a week old or so), and has boogs, but I'd love to > see if it helps your problem. > > (Of course, the fun part about LDAP is that my diagnosis may be entirely > wrong, too... ;) > > Regards, > > ---Peter Herndon --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Strange problem with LDAP authentication backend
Hi all, I'm having a strange problem. I wrote a basic LDAP backend, to authenticate users against our open directory server: from django.contrib.auth.models import User import ldap import ldap.sasl class LDAPBackend: def authenticate(self, username=None, password=None): if username and password: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) directory = 'ldaps://MYSERVERURL' base_dn = 'MYBASEDN' scope = ldap.SCOPE_SUBTREE con = ldap.initialize(directory) auth_tokens = ldap.sasl.cram_md5(username, password) try: con.sasl_interactive_bind_s("", auth_tokens) except ldap.LDAPError: return None con.unbind() return self.get_user(username) return None def get_user(self, username): try: user = User.objects.get(username=username) print user return user except User.DoesNotExist: return None Now, I know this works, because a) it works just lovely in the shell and b) I get this output when I try a login: Django version 1.0.2 final, using settings 'reviews.settings' Development server is running at http://0.0.0.0:80/ Quit the server with CONTROL-C. brenton [11/Aug/2009 13:25:01] "POST /admin/ HTTP/1.1" 302 0 [11/Aug/2009 13:25:01] "GET /admin/ HTTP/1.1" 200 1511 Note that the print user line works, so a valid user is being returned, meaning the bind works just fine. The problem I am getting is that the GET /admin/ is returning me to the login form, without any errors, over and over. A login using a user from the django db works without a problem. Any suggestions? Thanks, Brenton. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---