Hi, Thanks a lot for that info. This is really useful.
I installed mod_xsendfile and I tried your code, but the file that's downloaded from the view is empty. This might be because I've tested it using the development server on port 8080. So I guess Apache is out of the loop :/ I also have Apache running in parallel. Is there any way to have Apache send the file after the view (executed via dev server:8080) returns the response? Or is there any way around that issue? Thanks! Julien On May 18, 3:27 am, John Hensley <[EMAIL PROTECTED]> wrote: > You can do this with Apache. You need to add mod_xsendfile > (http://tn123.ath.cx/mod_xsendfile/ > ) to your Apache config, then control access to the files with a > Django view. A quick search of this group turns up references to > mod_xsendfile, but no example view, so here's what it might look like > for your project: > > @login_required > def sendfile(request, id): > project_file = get_object_or_404(ProjectFile, id=id) > > if not (request.user.is_staff or request.user in > project_file.project.members.all()): > return HttpResponseForbidden('No. Sorry.') > > response = HttpResponse() > response['X-Sendfile'] = os.path.join(settings.MEDIA_ROOT, > project_file.file) > content_type, encoding = > mimetypes.guess_type(project_file.get_file_url()) > if not content_type: > content_type = 'application/octet-stream' > response['Content-Type'] = content_type > response['Content-Length'] = project_file.get_file_size() > response['Content-Disposition'] = 'attachment; filename="%s"' % > os.path.basename(project_file.get_file_url()) > return response > > You get the idea. > > The Apache config denies access to the upload subdirectory altogether; > mod_xsendfile overrides that when it sees the X-Sendfile header in the > response from the Django view. You get to use Django for the complex > authorization, then it lets Apache handle the grunt work of shipping > the file. Pretty nice; I thought this might have been the requirement > that finally pushed me over to nginx or lighty, but not yet.... > > John > > On May 15, 2008, at 7:38 PM, Julien wrote: > > > > > Hi, > > > I'm building a website where users can create projects and upload > > files for their projects. I already have a system in place so that > > only members of a project can access the project related pages. Now, > > I'd like it to be more secure by only giving access to the files of a > > project to its members. > > > It appears to me that simply serving the files with Apache is not > > enough. Does Django provide a way to achieve that? Does it mean I'll > > have to serve the files with 'static.serve' with a layer of > > authorization checking? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
