I am buliding a tool that needs to have the ability to allow user to upload 
a file, and the file should only be accessible by the user who uploaded it. 
 It seems that the MEDIA_ROOT directory must be placed in the public www 
directory for front end web servers Apache to serve the file, which 
currently does not restrict access to any of the uploaded files.  What I am 
looking for is a way that I can lock it down so that if they try to access 
the file directly, I would bring up a login screen and they must 
authenticate before I give them access to it.

I did some searching around, and found various solutions to the problem, 
but none of them sounds like it would work for me.  My requirements are:

1. My front-end web server must be Apache
2. Apache setup and config cannot be changed to accommodate my site alone 
(unless it's a config I can easily override in .htaccess)
3. Users should not have to log in twice (If they authenticated against 
django already, no reason to ask them to login to Apache again)
3. Use django to serve the files as a last resort

Here are some of the solutions I found:

1. Update nginx/apache config to hook into django's user's database.  This 
looks like it would ask the user to login again via Apache's login 
mechanism, plus it doesn't look like it would work with alternative 
authentication backend (I am using django-auth-ldap)
2. Use django-sendfile, not possible because it requires installing plugins 
to Apache
3. Serve files through django.  Not recommended by django, so I am loath to 
try it
4. Override the MEDIA_ROOT behavior in urls.py and implement my own file 
serving behavior.  This sounds not all that far off from #3.

Are there any obvious solutions that I have over looked?  Or am I stuck 
having to use django to serve the files?

Thanks for any advice,

Jack

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to