In my application I'm not concerned about people giving the urls of
static files to others but people guessing filenames (this is called
"Browsing" or "URL Tampering" by some.)
I counter this by setting "Options -Indexes" in the apache
configuration and changing the filename to something 'random'
unguessable during upload. E.g.:
class MyImageField(ImageField):
def __init__(self, verbose_name=None, name=None, \
width_field=None, height_field=None, auto_rename=True, **kwargs):
self.auto_rename = auto_rename
super(MyImageField, self).__init__(verbose_name, name, \
width_field, height_field, **kwargs)
def _save(self, instance=None):
if not self.auto_rename: return
if instance == None: return
# generate hard to guess name
imagepath = getattr(instance, self.attname)
if not imagepath: return
newname = md5.new('overkill-%r-%r-%r-%r-%r' % \
(instance.__class__.__name__, self.name, \
time.time(), id(self), \
instance._get_pk_val())).hexdigest() + \
os.path.splitext(imagepath)[1]
newimagepath = os.path.join(os.path.split( \
imagepath)[0], newname)
if not os.path.exists(os.path.join( \
settings.MEDIA_ROOT, imagepath)):
return
os.rename(os.path.join(settings.MEDIA_ROOT, imagepath), \
os.path.join(settings.MEDIA_ROOT, newimagepath))
setattr(instance, self.attname, newimagepath)
def contribute_to_class(self, cls, name):
super(MyImageField, self).contribute_to_class(cls, name)
dispatcher.connect(self._save, signals.pre_save, sender=cls)
This results in filenames/URLs like
http://example.com/media/ba9d09948c278abdd0014966cc98f750.jpg
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users
-~----------~----~----~----~------~----~------~--~---
