SuspiciousOperation using sorl-thumbnail

StackOverflow https://stackoverflow.com/questions/14820957

Question

I have a Django web application that accesses and manipulates several server filesystems (e.g. /fs01, /fs02, etc.) on behalf of the user. I'd like to present thumbnails of images on those filesystems to the user, and thought sorl-thumbnail would be the way to do it.

It seems though that the images must be under MEDIA_ROOT for sorl-thumbnail to create thumbnails. My MEDIA_ROOT is /Users/me/Dev/MyProject/myproj/media, so this works:

path = "/Users/me/Dev/MyProject/myproj/media/pipe-img/magritte-pipe-large.jpg"
try:
  im = get_thumbnail(path, '100x100', crop='center', quality=99)
except Exception, e:
  exc_type, exc_obj, exc_tb = sys.exc_info()
  print "Failed getting thumbnail: (%s) %s" % (exc_type, e)
print "im.url = %s" % im.url

It creates the thumbnail and prints the im.url, as I'd expect. But when I change path to:

path = "/fs02/dir/ep340102/foo/2048x1024/magritte-pipe-large.jpg"

It fails with:

Failed getting thumbnail: (<class 'django.core.exceptions.SuspiciousOperation'>)
Attempted access to '/fs02/dir/ep340102/foo/2048x1024/magritte-pipe-large.jpg' denied.

Is there a way to solve this? Can I use sorl-thumbnail to create thumbnails as I'd like to under these other filesystems (e.g. /fs01, /fs02, /fs03, etc.)? Is there a better approach?

Update. Here's the full stack trace:

Environment:


Request Method: GET
Request URL: http://localhost:8000/pipe/file_selection/

Django Version: 1.4.1
Python Version: 2.7.2
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.admin',
 'django.contrib.admindocs',
 'django.contrib.humanize',
 'django.contrib.messages',
 'pipeproj.pipe',
 'south',
 'guardian',
 'sorl.thumbnail')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware')


Traceback:
File "/Library/Python/2.7/site-packages/django/core/handlers/base.py" in get_response
  111.                         response = callback(request, *callback_args, **callback_kwargs)
File "/Library/Python/2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  20.                 return view_func(request, *args, **kwargs)
File "/Users/dylan/Dev/Pipe/pipeproj/../pipeproj/pipe/views/data.py" in file_selection
  184.  im = get_thumbnail(path, '100x100', crop='center', quality=99)
File "/Library/Python/2.7/site-packages/sorl_thumbnail-11.12-py2.7.egg/sorl/thumbnail/shortcuts.py" in get_thumbnail
  8.     return default.backend.get_thumbnail(file_, geometry_string, **options)
File "/Library/Python/2.7/site-packages/sorl_thumbnail-11.12-py2.7.egg/sorl/thumbnail/base.py" in get_thumbnail
  56.             source_image = default.engine.get_image(source)
File "/Library/Python/2.7/site-packages/sorl_thumbnail-11.12-py2.7.egg/sorl/thumbnail/engines/pil_engine.py" in get_image
  12.         buf = StringIO(source.read())
File "/Library/Python/2.7/site-packages/sorl_thumbnail-11.12-py2.7.egg/sorl/thumbnail/images.py" in read
  121.         return self.storage.open(self.name).read()
File "/Library/Python/2.7/site-packages/django/core/files/storage.py" in open
  33.         return self._open(name, mode)
File "/Library/Python/2.7/site-packages/django/core/files/storage.py" in _open
  156.         return File(open(self.path(name), mode))
File "/Library/Python/2.7/site-packages/django/core/files/storage.py" in path
  246.             raise SuspiciousOperation("Attempted access to '%s' denied." % name)

Exception Type: SuspiciousOperation at /pipe/file_selection/
Exception Value: Attempted access to '/fs02/dir/ep340102/foo/2048x1024/bettina.jpg' denied.
Was it helpful?

Solution

The SuspiciousOperation is from FileSystemStorage.path() here:

def path(self, name):
try:
    path = safe_join(self.location, name)
except ValueError:
    raise SuspiciousFileOperation("Attempted access to '%s' denied." % name)
return os.path.normpath(path)

It originates in safe_join() which has this test:

if (not normcase(final_path).startswith(normcase(base_path + sep)) and
...

This means that the computed filename must exist within the configured thumbnail storage. By default settings.THUMBNAIL_STORAGE is settings.DEFAULT_FILE_STORAGE which is FileSystemStorage which stores files in settings.MEDIA_ROOT.

You should be able to use a different storage path for thumbnails by defining a storage class:

from django.core.files.storage import FileSystemStorage

class ThumbnailStorage(FileSystemStorage):
    def __init__(self, **kwargs):
        super(ThumbnailStorage, self).__init__(
            location='/fs02', base_url='/fs02')

then in settings.py

THUMBNAIL_STORAGE = 'myproj.storage.ThumbnailStorage'

You'll also need to make sure that something is serving /fs02 at that URL:

if settings.DEBUG:
    patterns += patterns('',
        url(r'^fs02/(?P<path>.*)$', 'django.views.static.serve',
            {'document_root': '/fs02'}))

Note that your thumbnails will be created as /fs02/cache/... per the default THUMBNAIL_PREFIX

OTHER TIPS

What do you get with the following command?

ls -la /fs02/dir/ep340102/foo/2048x1024/

Access denied usually happens if the file owner is not the good one (and/or wrong file rights)...

I did it by supplying an absolute url instead, like this:

from sorl.thumbnail import get_thumbnail
from django.contrib.staticfiles.storage import staticfiles_storage

image_url = staticfiles_storage.url('image.jpg')
thumbnail = get_thumbnail(image_url, '100x100')
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top