#37044: Mention in FileField-.upload_to-Documentation that file locations on
authenticated models are not automatically authenticated.
-----------------------+-----------------------------------------
Reporter: Aaron | Type: Uncategorized
Status: new | Component: Uncategorized
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------+-----------------------------------------
Its common practice to add authentification to a model such that it can be
accessed by a subset of users. Developers might assume that the
authentification of the model covers authentification
of the "upload_to"-Field, but is does not. Therefore, any authenticated
user
who guesses any url is able to acccess the underlying file, somewhat
circumventing the authentification.
Furthermore, these urls share common patterns which might expose a lot
more files.
Suggestion:
Add a warning to the documentation of "upload_to" along the lines of:
""upload_to" does not inherit authentification from a model. This has to
be done externally".
"Authentification of the model does not include authentification of
"upload_to". Any authenticated user
might guess the urls and can access the underlying files".
"Make sure to authenticate access to the url stored in "upload_to" as
these are not covered by the model authentification. "
Looking forward to discussing this,
Aaron
--
Ticket URL: <https://code.djangoproject.com/ticket/37044>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019d9fc909c6-edfc8d3e-0e34-4cdc-9d37-aac67b98cbc2-000000%40eu-central-1.amazonses.com.
