I am buliding a tool that needs to have the ability to allow user to upload a file, and the file should only be accessible by the user who uploaded it. It seems that the MEDIA_ROOT directory must be placed in the public www directory for front end web servers Apache to serve the file, which currently does not restrict access to any of the uploaded files. What I am looking for is a way that I can lock it down so that if they try to access the file directly, I would bring up a login screen and they must authenticate before I give them access to it.
I did some searching around, and found various solutions to the problem, but none of them sounds like it would work for me. My requirements are: 1. My front-end web server must be Apache 2. Apache setup and config cannot be changed to accommodate my site alone (unless it's a config I can easily override in .htaccess) 3. Users should not have to log in twice (If they authenticated against django already, no reason to ask them to login to Apache again) 3. Use django to serve the files as a last resort Here are some of the solutions I found: 1. Update nginx/apache config to hook into django's user's database. This looks like it would ask the user to login again via Apache's login mechanism, plus it doesn't look like it would work with alternative authentication backend (I am using django-auth-ldap) 2. Use django-sendfile, not possible because it requires installing plugins to Apache 3. Serve files through django. Not recommended by django, so I am loath to try it 4. Override the MEDIA_ROOT behavior in urls.py and implement my own file serving behavior. This sounds not all that far off from #3. Are there any obvious solutions that I have over looked? Or am I stuck having to use django to serve the files? Thanks for any advice, Jack -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. For more options, visit https://groups.google.com/groups/opt_out.
