英文:
Django hide media files link for certain people
问题
我编写了一个函数,允许您根据链接从媒体文件夹下载文件。问题是,如果更改链接中的路径,您将可以访问所有媒体文件,而不仅仅是您应该下载的那些。我是否可以以某种方式禁止其他链接(使用权限或其他方式),或者是否有巧妙的方法来解决整个问题?
英文:
I programmed a function where you can download a file from the media folder with the media files depending on the link. The problem is that if you change the path in the link you have access to all the media files and not just the ones you are supposed to download. Can I somehow ban the other links (with a permission or something) or is there a clever way to solve the whole thing?
答案1
得分: 1
以下是您要翻译的内容:
不确定我的方法是否最聪明,但通常我会向具有文件字段的模型添加一个用户字段。然后在返回文件的功能视图中,我会执行一个检查,以查看request.user是否与同一用户相同。此外,对于这些文件,我确保将它们存储在绝对无法公开访问的目录中,使用FileSystemStorage类以及FileField类。
以下是一些示例代码,说明了我的方法:
# settings.py
MEDIA_ROOT_FOR_SENSITIVE_FILES = '/path/to/your/special/folder'
# models.py
from functools import partial
from django.db import models
from django.conf import settings
from django.core.files.storage import FileSystemStorage
from django.http import FileResponse
from django.http.response import Http404
from django.db.models import FileField
# 创建自定义存储位置,使用您设置文件中的值
sensitive_upload_storage = FileSystemStorage(location=settings.MEDIA_ROOT_FOR_SENSITIVE_FILES,
base_url='/some_prefix/')
# ... 并且一个将使用自定义存储的文件字段
AuthenticatedFileField = partial(FileField, storage=sensitive_upload_storage)
class UserUpload(models.Model):
user = models.ForeignKey('auth.User', on_delete=models.DO_NOTHING)
file = AuthenticatedFileField()
# views.py / 处理URL "/some_prefix/{PATH}"。
def download_userupload(request, path):
try:
file = UserUpload.objects.get(user=request.user, file=path)
except UserUpload.DoesNotExist:
return Http404
return FileResponse(file.file)
希望有所帮助,如果您有进一步的问题,请随时提出!
<details>
<summary>英文:</summary>
Not sure that my approach is the most clever, but I usually add a user field to the model that has the file field. And then within that function-based view that is returning the file, I perform a check to see if the `request.user` is the same user. Also, for files like these I make sure to store them in a directory that is not publicly accessible whatsoever, using the `FileSystemStorage` class, along with the `FileField` class.
Here's a couple snippets that illustrate my own approach:
# settings.py
MEDIA_ROOT_FOR_SENSITIVE_FILES = '/path/to/your/special/folder'
# models.py
from functools import partial
from django.db import models
from django.conf import settings
from django.core.files.storage import FileSystemStorage
from django.http import FileResponse
from django.http.response import Http404
from django.db.models import FileField
# Create a custom storage location, using a value from your settings file
sensitive_upload_storage = FileSystemStorage(location=settings.MEDIA_ROOT_FOR_SENSITIVE_FILES,
base_url='/some_prefix/')
# ... and a file field that will use the custom storage
AuthenticatedFileField = partial(FileField, storage=sensitive_upload_storage)
class UserUpload(models.Model):
user = models.ForeignKey('auth.User', on_delete=models.DO_NOTHING)
file = AuthenticatedFileField()
# views.py / handles the url "/some_prefix/{PATH}".
def download_userupload(request, path):
try:
file = UserUpload.objects.get(user=request.user, file=path)
except UserUpload.DoesNotExist:
return Http404
return FileResponse(file.file)
Hope that helps, and glad to follow-up if you have any further q's!
</details>
# 答案2
**得分**: 1
我现在已经找到了一个好的解决方案。
我现在通过一个名为**sendfile**的函数 *(https://github.com/johnsensible/django-sendfile)* 处理我的文件,并将它们发送给用户。
这用于在内部访问媒体文件夹。我可以简单地在NGINX中关闭媒体链接。
<details>
<summary>英文:</summary>
I have now found a good solution.
I now handle my files via a function called **sendfile** *(https://github.com/johnsensible/django-sendfile)* and send them to the user.
This is used to access the media folder internally. I can simply switch off the Media Link in NGINX.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论