I am making a django application that makes user of django's ImageField to upload a file to a specific folder. I am using this field for storing the user's profile pictures. But the problem is the path that I give to upload_to is dynamic and depends on user and will create directories if needed. i.e if the path is user/1/profile-pic/large/pic.jpg, it will create the directores, user/, user/1/ so on, if the are not already there. It worked fine in development. But now when I have put my website on a VM and serving it using apache. Django raises the permission denied error. As I have to make directories dynamically so I can't make them ahead of everything and change their permissions. So I was wondering if there is any of way of acoomplishing it.
You should chown you media directory to the user which runs you django app.
Related
I'm working on a Django-Vuejs based project. In my project, a user can have a folder. Inside that, he can create multiple files. Let say, user restricted users from India to access that folder. This folder restriction will now be followed in files as well. But, user can override these settings on file level i.e., user can change restrict settings for single file. So that, if one folder has 5 files. Folder is restricting India and now only one file allowing India. That means, one file will allow India, rest four will restrict India.
My question here is how my middleware should be designed for these settings? Should I create interceptors in Vuejs and define middleware for each route /folder/1 and /file/1 or create custom middleware in Django and check for the requested path in request and accordingly check for the access settings?
What's the best way to achieve this?
I've tried with rest_framework Permissions on folder level. It's working perfectly if the settings are only on folder level. But if settings get changed on file level, it still checks for folder permission and send response accordingly (since file is inside the folder).
I think you don't need a middleware for that, all the logic shall be in the view that will serve the file.
For the permissions, if I were you, I create a Model Called permissions and let the user permissions added to that model.
[Update]
I've managed to upload a small file (but not yet a large image). ../media/filer_public/ sub-directories are being correctly created and file correctly uploaded. Need to investigate nginx configurations.
[OP]
I've logged into a new Django CMS system as superuser but cannot Add filer image or Add filer file to a page as the file upload silently fails; very briefly flashing its upload graphics but not actually uploading anything. I believe all the settings.py are correct as static artifacts are rendered correctly and Nginx has credible similar locations for both media and static directories.
I believe all file and directory permissions and ownerships are correct; i.e. that Nginx has user and / or group ownership of the Django CMS app directories and that permissions are correct.
The Postgres table filer_folder has a row for a new filer folder I created when editing a page but no corresponding directory has been created in the file system. I can add text and new text block plugins that get saved correctly.
Django CMS is running in a Docker container web which I have confirmed has rw (read/write) access to a Docker volume.
I see nothing abnormal in webs logs.
How can I find out what's (not) happening?
Simply adding client_max_body_size 10M; to the nginx configuration for the site solved the issue.
Similar issues were addressed in Stackoverflow and elsewhere:
Server Fault
Setting up Django and your web server with uWSGI and nginx
I use Django with supervisor. My project folder is located in foouser directory, however in supervisor, I chose to run the deployment process using a different user, which was created by
$ adduser --disabled-login www
Hence user www does not have access to the media and static folders of the django project since they are under a different user directory. I feel that just making the file-permissions 0777 is not a proper way for allowing user www to have access to the static and media files. I also feel that it might be a security risk to run the deployment process under foouser which has more privileges compared to user www.
What is the best approach for this?
You can change owner group of your media directory/files to www's group and give it full permission.
Another option is to put your media files under a directory where www user has access, (may be you can use symlink/hardlink to bring directory owned by www under your django project media path).
I'm running a Django app for my root public_html folder, and it's working fine. But there's a problem with one of my other apps. The problematic app is accessed through a redirect to a subdirectory (e.g. http://workingsite.com redirects to public_html, http://brokensite.com redirects to public_html/foo)
The problem is that the session expires whenever anything needs to be saved in the Django admin (either added or changed). If you try again, sometimes it works. This does not happen on my own machine when I run the Django dev server.
The timezone in both of the app settings.py files is the same, which is the same as the timezone in both of the .htaccess files.
The apps are almost identical, except the working app uses WYMEditor and the broken one uses TinyMCE as its text editor. Don't know why that would do anything to cause the problem, but I included it just in case. Also, I've made a custom CSS file for the admin backend in the broken app (again, shouldn't cause a problem).
Seems to have been a configuration issue with the company I was hosting with - it's not happening anymore.
My Django site lets users upload images. It's running on Apache.
Files are uploaded via a FileUpload form. The folder to which files are uploaded is outside the Django project, and protected as described here, i.e. the folder has 755 permissions and files have 644 permissions.
I now want to serve the images up to users - but I need to do it securely, so that executable scripts don't run, and so that users can't e.g. delete all the images in the directory.
My question is, how do I serve the uploaded images to users in a secure way? Can I serve them safely as static media directly from that folder, with those permissions? Or should I copy them into another directory with different permissions, and serve them from there?
I'm serving the other static media (/media/css) on the site as a separate, static application.
Thanks!
The way to do this is to configure your web server to serve files with the names it expects, and with a correct image content-type. Use Django's ImageField for some level of validation by PIL/Pillow that uploaded files are images. For this directory, disable webserver features like autogenerating directory indexes, autoserving everything from the filesystem, guessing at mime types, and running cgi scripts.