The files for FileField
and ImageField
are uploaded relative to settings.MEDIA_ROOT
and should be accessible by the same relative filename appended to settings.MEDIA_URL
. This is why your admin interface points to the wrong url. For security reasons these should be different than STATIC_ROOT
and STATIC_URL
, otherwise Django will raise an ImproperlyConfiguredError
.
This will not prevent users from accessing files they shouldn't see, if they know or can guess the url. For this you will need to serve these private files through Django, instead of your web server of choice. Basically you need to specify a private directory under the web root level, and you need to load these files if the user has permission to see the file. E.g.:
from django.core.files.storage import FileSystemStorage
PRIVATE_DIR = os.path.join(ROOT_DIR, 'web-private')
fs = FileSystemStorage(location=PRIVATE_DIR)
class Customer(models.Model):
logo = models.ImageField(upload_to='customer/logo', storage=fs, null=True, blank=True)
In your view you will have to serve this file. One of the custom apps on my current project uses the following function to send static files:
import mimetypes
from django.http import HttpResponse # StreamingHttpResponse
from django.core.servers.basehttp import FileWrapper
def send_file(file):
"""
Send a file through Django without loading the whole file into
memory at once. The FileWrapper will turn the file object into an
iterator for chunks of 8KB.
"""
filename = file.name
if settings.PRIVATE_MEDIA_USE_XSENDFILE:
# X-sendfile
response = HttpResponse()
response['X-Accel-Redirect'] = filename # Nginx
response['X-Sendfile'] = filename # Apache 2, mod-xsendfile
# Nginx doesn't overwrite headers, but does add the missing headers.
del response['Content-Type']
else:
# Can use django.views.static.serve() method (which supports if-modified-since),
# but this also does the job well, as it's mainly for debugging.
mimetype, encoding = mimetypes.guess_type(filename)
response = HttpResponse(FileWrapper(file), content_type=mimetype)
response['Content-Length'] = os.path.getsize(filename)
return response
And then use send_file(customer.logo)
in your view.
Django >= 1.5 should use the new StreamingHttpResponse
instead of HttpResponse
.