Re: authentication/access control for static files
In my application I'm not concerned about people giving the urls of
static files to others but people guessing filenames (this is called
"Browsing" or "URL Tampering" by some.)
I counter this by setting "Options -Indexes" in the apache
configuration and changing the filename to something 'random'
unguessable during upload. E.g.:
class MyImageField(ImageField):
def __init__(self, verbose_name=None, name=None, \
width_field=None, height_field=None, auto_rename=True, **kwargs):
self.auto_rename = auto_rename
super(MyImageField, self).__init__(verbose_name, name, \
width_field, height_field, **kwargs)
def _save(self, instance=None):
if not self.auto_rename: return
if instance == None: return
# generate hard to guess name
imagepath = getattr(instance, self.attname)
if not imagepath: return
newname = md5.new('overkill-%r-%r-%r-%r-%r' % \
(instance.__class__.__name__, self.name, \
time.time(), id(self), \
instance._get_pk_val())).hexdigest() + \
os.path.splitext(imagepath)[1]
newimagepath = os.path.join(os.path.split( \
imagepath)[0], newname)
if not os.path.exists(os.path.join( \
settings.MEDIA_ROOT, imagepath)):
return
os.rename(os.path.join(settings.MEDIA_ROOT, imagepath), \
os.path.join(settings.MEDIA_ROOT, newimagepath))
setattr(instance, self.attname, newimagepath)
def contribute_to_class(self, cls, name):
super(MyImageField, self).contribute_to_class(cls, name)
dispatcher.connect(self._save, signals.pre_save, sender=cls)
This results in filenames/URLs like
http://example.com/media/ba9d09948c278abdd0014966cc98f750.jpg
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~--~~~~--~~--~--~---
Re: authentication/access control for static files
thanks, that's exactly what I'm looking for.On 9/28/06, Ivan Sagalaev <[EMAIL PROTECTED] > wrote:Bedros Hanounik wrote:> thanks for the quick response; that should work for me for now (low > traffic); but I wonder how it scales with high traffic site. Also, any> idea how this may apply to lighttpd.In Lighty there is a "secure download" module( http://trac.lighttpd.net/trac/wiki/Docs%3AModSecDownload) that createstemporary static files based on user credentials. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: Re: authentication/access control for static files
On 9/28/06, Bedros Hanounik <[EMAIL PROTECTED]> wrote: > thanks for the quick response; that should work for me for now (low > traffic); but I wonder how it scales with high traffic site. Also, any idea > how this may apply to lighttpd. The PythonAuthenHandler directive used to make this work is specific to Apache/mod_python. -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: authentication/access control for static files
thanks for the quick response; that should work for me for now (low traffic); but I wonder how it scales with high traffic site. Also, any idea how this may apply to lighttpd. On 9/28/06, James Bennett <[EMAIL PROTECTED]> wrote: On 9/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:> for example, I have a dynamic page created, which has a url pointing to > a static file on another server.Django provides a mechanism for extending Apache's own authenticationto check against the Django user database, but this requires Django tobe running on all the servers involved: http://www.djangoproject.com/documentation/apache_auth/--"May the forces of evil become confused on the way to your house." -- George Carlin --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
Re: authentication/access control for static files
On 9/28/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > for example, I have a dynamic page created, which has a url pointing to > a static file on another server. Django provides a mechanism for extending Apache's own authentication to check against the Django user database, but this requires Django to be running on all the servers involved: http://www.djangoproject.com/documentation/apache_auth/ -- "May the forces of evil become confused on the way to your house." -- George Carlin --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~--~~~~--~~--~--~---
