I have a situation where I have a Django app where users sign up for an account. The users generate a bunch of Excel files each month. These files are currently simply files generated on the server and stored in the filesystem, and are not part of any model definition right now, though I could probably change that to have them defined in a model, and use together with user permissions.
The app is working as expected, but I am stuck on how to let users browse and download their own generated files, while disallowing access to other users' files.
I was looking at django-filer, but am wondering if anybody has met with this situation before?
You'll want a FileField, a FK or M2M to User or Group, and this.
Related
I'm creating a website where the user is able to upload large files. Around 100-300Mb. I'm using django but I want to know what is the best option to save the files. Should I just add them to my user database? Or should I create a media folder and save the files there. If so then this would mean that I have to save the name of the file in my user database?
Please let me know how you would tackle this issue.
django does not store files in the database, but in media folder. The FileField contains the path to the file(in the media folder). You can change that behavior but it is not recommended(as general practice). What you should consider however is that files of that size will require some more work both in django and the front-end since the upload process will freeze the server. A potential solution to the problem is this: https://pypi.org/project/django-chunked-upload/
I have an app which server uploading/downloading files. It has users with different privileges, e.g. some users can download only certain files.
The problem is, if someone manages to type the exact URL of the file (e. g. localhost:8000/data/somefile.txt), they even do not need to be logged in and can see/download the file anyway.
Is there any way how to prevent this?
I am providing sensitive username and password file to the authenticated user. I want user to download the file via file_url in template through model.
File_link = models.FileField(upload_to='SAFE_DIRECTORY_PATH')
I don't feel it safe storing it in media directory
Any suggestions keeping them safe ,web app will be generating the link.
Some security notes first.
This is probably a bad idea. Storing sensitive information in plain files is probably not the correct security approach, especially if you plan to use Django's media storage backend for doing that. It leaves all files out-in-the-open.
If however you really, really, and I mean really need to do that, you should encrypt the file first before saving in Django.
Again though, if at all possible I would recommend to store sensitive information in db. In your case of storing passwords, you can use Django techniques to store that information relatively-safely such as correctly hashing passwords via pbkdf function (e.g. pbkdf or bcrypt, etc). If users will need to download that information, you can always generate the file on the fly for them for download.
Some suggestions for uploading files.
I usually assign random filenames to the uploaded files. This way at least its more challenging for the users to guess the filenames to download them. Not very security since this relies on security by obfuscation but its better then nothing. If you need a Django field which does that automatically, you can do that by making upload_to a callable (there are also 3rd party libs for doing that such as django-auxilium although for full disclosure Im the author of that lib).
Now that files are stored with random filenames, you probably never want to provide direct download links to the users for download but instead authenticate them first and then use something like X-Accel in nginx or X-Sendfile in Apache to actually serve the file to the user. The idea being that you first authenticate user in Django. Then however instead of Django serving the file, you return a special header which nginx/apache catches which contains a filepath to the file nginx/apache should serve to the user. This way you dont have to waste resources in Django to serve the file however you still get the advantage of being able to authenticate the request. There are a number of 3rd party apps for doing that as well.
Finally to protect users from downloading the media files you can use nginx (and I imagine apache) by restricting certain parts of the media folder:
location /media/protected {
internal;
alias /var/www/files;
}
In this case nginx will refuse direct user requests to /media/protected and will only allow to serve those files via X-Accel-Redirect header sent by Django. Then all you have to configure in Django is to store files in that path to make them protected:
models.FileField(upload_to='protected/myfiles')
I was looking for a solution to serve files only to authorized users and came across this post. I think it it is top google result for "django storing and providing secure files"
As the answer is rather old I wanted to share my finding:
django-private-storage (https://pypi.org/project/django-private-storage/) seems to be a good solution to this problem.
Do any of you know of a Django app out there for allowing users to browse for files, and upload new ones? The ones I have found seem to be built as an add-on for the admin interface (django-filebrowser, django-filer).
Not aiming for anything incredibly complex, just something that allows a user to upload files and then browse between folders (either specific directories on the server, or artificially generated "folders" out of some model field).
I recall the admin tutorial mentioned "The admin isn’t intended to be used by site visitors. It’s for site managers."
My thought from above is that it would be bad practice to simply allow users to see content via the admin interface, and that it would be better to create an app to allow for this.
To get the convenience that your end users usually expect in the age of google drive, you really want a complex javascript filebrowser that plays nicely with django.
I'm using yawd-elfinder which is a great django backend for elfinder to manage my students' association's website with great success ( About 1500 users with different groups and privileges).
Features:
Yawd-elfinder can manage local files but also use Django filesystem storages to connect to remote filesystems. A set of django options allows control over file and directory permissions, accepted mime types, max file sizes etc.
It allows you to have fairly complex management of files and different permissions for different users by activating different roots and/or mapping them differently based on the user.
Furthermore you have capabilities like drag and drop, upload by drag and drop and it's very customizable.
I'm not sure it's maintained anymore, but you can find working code here with the relevant views and templates.
Ok, I know that serving media files through Django is a not recommended. However, I'm in a situation where I'd like to serve "static" files using fine-grained access control through Django models.
Example: I want to serve my movie library to myself over the web. I'm often travelling and I'd like to be able to view any of my movies wherever I am, provided I have internet access. So I rip my DVDs, upload them to my server and build this simple Django application coupled with some embeddable video player.
To avoid any legal repercussions, I'd like to ensure that only logged-on users with the proper permissions (i.e. myself and people living in the same household, which can, like me, access the real DVDs at their convenience), but denies it to other users (i.e. people who posted comments on my blog) and returns an HTTP 404.
Now, serving these files directly using Apache and mod_wsgi is rather troublesome because when an HTTP request for the media files (i.e. http://video.mywebsite.com/my-favorite-movie/) comes in, I need to validate against my user database that the person at the other end has the proper permissions.
Question: can I achieve this effect without serving the media files directly through a Django view? What are my options?
One thing I did think of is to write a simple script that takes a session ID and a video's slug and returns some boolean indicating if the user may (or may not) access the video file. Then, somehow request mod_wsgi to execute this script before accessing the requested URL and return an HTTP 404 if the script failed. However, I don't have a clue if this is even possible.
Edit: Posting this question clarified some of my ideas for search and I've come across mod_python's file wrapper extension. Does anyone have enough experience with that to validate that it is a viable solution?
Yes, you can hook into Django's authentication from Apache. See this how-to:
Authenticating against Django’s user database from Apache