On Wed, May 19, 2010 at 7:19 PM, Mike Dewhirst <mi...@dewhirst.com.au>wrote:
> On 20/05/2010 11:00am, Lee Hinde wrote: > >> I'm working on an intranet app for a client that will have file uploads. >> I'm early in the process, but have the uploading working just fine via >> admin. >> >> Once we get to deployment, I'm unclear on how to coordinate the security >> that django will know about (group X has access to X's files, but not >> group Y's), >> >> When I poke around for discussions on protecting uploaded files, the >> most recent and seemingly on point discussion is here: >> >> >> http://stackoverflow.com/questions/2780893/django-authentication-htaccess-static >> >> Which is basically suggesting that one hash the name and hope that >> no-one guesses the resulting path. >> >> What's best practice here? >> > > If it has to be secure rather than just wishful thinking the webserver must > demand credentials. If you are using Apache, that means .htaccess files > which point to a list of credentials for each group. > > Maybe you could obtain a django authentication backend which Apache can use > as well? On an Intranet you should be able to access LDAP connectivity > somewhere - Microsoft AD, Novell eDirectory or Linux LDAP. > > I'm very interested in your progress here because I have to travel this > road in the medium term future. > > I have done a test implementation of Peter Herndon's django-ldap-groups > with eDir and one of the next steps for me is to look at the Apache LDAP > docs. > > http://code.google.com/p/django-ldap-groups/ > > Good luck > > Mike > > >> Thanks. >> >> - Lee >> >> -- >> >> This is going to be a hosted solution and if I add LDAP maintenance to the new things they have to do, I think they'll go back to shuffling Excel files back and forth via email. One Apache log-in and then one Django log-in? Blech. Let's see what anyone else has to say... -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
