protecting user uploaded files django
How can I allow users to upload files to their own, user designated folder, and only see files that they have uploaded? I am using django file-transfer. Currently it gives me a
-
uploadmodel_file_upload_to returns a relative path. To build the full path, django prepends settings.MEDIA_ROOT. MEDIA_ROOT is supposed to be public readable.
So we want to save the file outside MEDIA_ROOT. Add something like this to settings.py:
import os.path PROJECT_ROOT=os.path.abspath(os.path.dirname(__file__)) PROTECTED_MEDIA_ROOT=os.path.join(PROJECT_ROOT, 'protected_uploads')Now you can update uploadmodel_file_upload_to to return an absolute path:
def uploadmodel_file_upload_to(instance, filename): return '%s/%s/%s' % (settings.PROTECTED_MEDIA_ROOT, instance.user.username, filename)Now that the files are saved in /project/path/protected_uploads, we need to add a view to serve it, for example:
import os import mimetypes from django import shortcuts from django import http from django.conf import settings from django.views.static import was_modified_since from django.utils.http import http_date from .models import * def serve_upload(request, upload_id): upload = shortcuts.get_object_or_404(UploadModel, pk=upload_id) fullpath = upload.file.path if request.user != upload.user: return http.HttpResponseForbidden() statobj = os.stat(fullpath) mimetype, encoding = mimetypes.guess_type(fullpath) mimetype = mimetype or 'application/octet-stream' if not was_modified_since(request.META.get('HTTP_IF_MODIFIED_SINCE'), statobj.st_mtime, statobj.st_size): return http.HttpResponseNotModified(mimetype=mimetype) response = http.HttpResponse(open(fullpath, 'rb').read(), mimetype=mimetype) response["Last-Modified"] = http_date(statobj.st_mtime) response["Content-Length"] = statobj.st_size if encoding: response["Content-Encoding"] = encoding return responseAnd a URL:
url(r'serve_upload/(?P\d+)/$', 'serve_upload'), 讨论(0)
加载中...
- 热议问题