Access control for static resources
https://stackoverflow.com/questions/8859632
-
16-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In my application I sometimes generate a new picture. After reading comments here I decided to store the pictures in the filesystem and the metadata in the database, so now my files are served statically independently of the database (the bd gives the user the filename that they want to access, which they then pull from a static fileserver).
However, the problem I have here is that I don't always want users to see pictures generated by other users. Let's say, for example, that user Joe creates pictures A and B, and user Sue creates C and D. I don't want Joe being able to see C and D and I dont want Sue seeing A and B. Since all the files are served statically, if Joe happens to guess the url for C, he can access it.
Since the way the pictures are served is pretty much out of control of my django, I'm not sure what the solution here would be, other than encrypting the files (which is complicated and resource-intensive)
Solution
The easy way is to use django send_file[1] to do it. This is easy to implement but does not scale well. I use it to serve dynamically generated reports. The only advantage of this solution is that it's all python code.
The better way is to use the information on sanmai's links. You can also take a look here: http://www.sensibledevelopment.com/2010/11/django-sendfile-an-for-abstraction-large-file-serving-in-django/ for some django specific information.
OTHER TIPS
Use one or more MD5 hexdigest of some attribute as part of the image path; the path will be pretty random.
