Thanks to both of you for the advice - Ben, yours seems to be like a step four to Javier's solution. I like it, but will only say I'll maybe try it once I've got the serving done Javier's way.
Javier, could you post some example code? I'm pretty sure this is bang- on what I want, although as I said, I'm using apache. Cheers, Brenton. On Aug 13, 3:10 pm, BenW <benwil...@gmail.com> wrote: > If you want to prevent hotlinking to your documents or illicit access, > then I would suggest writing a view that generates a unique URL per > access. For instance, a user hits your view, they get a randomly > generated link to access the file. You store that random link in > their session as a one-to-one mapping to the pk of the file they want > to download -- then you have a url/view that will take that random > link and lookup the file. Afterward that random link is purged from > their session. Of course, this also means that Django would have to > either serve the file itself, or you would have to rename the file on > disk after every access .. which would be lame. > > On Aug 13, 11:00 am, stupidgeek <thestupidg...@gmail.com> wrote: > > > Hi there, > > > So I'm practically done with my first django site (i've worked with > > PHP for years, and I'm so glad I found django), but I am having some > > trouble with securing files; let me explain: > > > I've written a faculty review system, with tight checks on access for > > reviews, based on committees, etc. Each review contains a document, > > held by a models.FileField, and I would like to restrict access to the > > file; ie not put it under my DocumentRoot (/var/www), so that it can > > only be accessed from within django only (and, of course, access will > > be limited by my views). > > > Is this possible? As far as I understand, when you access a FileField, > > you get back the filename, which you then use somehow to link to it. > > This of course means that the file must be under the document root, > > which doesn't secure it for me (as anyone with the URL will be able to > > access it) - this is NOT an option. > > > I'd be happy if someone could even link me to relevant docs. > > > Thanks, > > Brenton. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
