Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure static media access in a Django site

Tags:

authentication

apache

django

I'm building a site where registered users can upload files. Those files are then served via Apache. Only users who are logged in should be able to access those files.

I have read this page but it seems that people would have to log in twice to access both the site and the media, each time using a different type of login box.

Is there a way around this or is there some other way to limit access to static media served by Apache using the Django authentication database?

I'm using mod_python.

EDIT: How I ended up solving this after reading Van Gale's answer and this:

  1. Switched to WSGI.
  2. Installed mod_xsendfile
  3. Moved all public media files into a subfolder in /media/public
  4. Added access to the public folder using an Alias /media/public /var/www.../media/public
  5. Added WSGIScriptAlias /media/protected/ /var/www.../apache/django.wsgi (same handler as for the rest of the site)
  6. Added XSendFile On and XSendFileAllowAbove On
  7. To the Django app I added an urlconf for /media/protected which does basically what's here, only modified for my authentication system. It handles urls such as /media/protected/GROUP_ID/file so that only members of the GROUP can download the files.
like image 752
Tomas Andrle Avatar asked Aug 27 '09 12:08

Tomas Andrle

People also ask

Can Django serve static files in production?

During development, as long as you have DEBUG set to TRUE and you're using the staticfiles app, you can serve up static files using Django's development server. You don't even need to run the collecstatic command.

What is static and media in Django?

Media files are typically user or admin uploadable files. Normally you will want MEDIA_ROOT and STATIC_ROOT to be separate directories. Keep in mind that STATIC_ROOT is where the management command collectstatic will place all the static files it finds.

1 Answers

The usual way to do this is to pass back a special header to the web server.

You can do it with nginx using x-accel-redirect as in this Django snippet.

For Apache, it should be pretty similar using the mod_xsendfile module (discussion and examples on Django users mailing list).

like image 51
Van Gale Avatar answered Oct 08 '22 15:10

Van Gale
Sign in to Comment

Related questions

Django: Possible to load fixtures with date fields based on the current date?
Django query with distinct and order_by
Multiple User Types For Auth in Django
Best practice when using folium on django
In Django, how do you retrieve data from extra fields on many-to-many relationships without an explicit query for it?
Extending User object in Django: User model inheritance or use UserProfile?
efficient function to retrieve a queryset of ancestors of an mptt queryset
Django - Difference between Database backed sessions and Cookie Based Session?
change a form value before validation in Django form
No fixture named 'X' found
Adding reports to Django's admin
Django QuerySet Custom Ordering by ID
Inline-like solution for Django Admin where Admin contains ForeignKey to other model
django auth ldap
How can I prevent RuntimeError("Unable to create a new session key.")?
django-celery: No result backend configured
Allow a task execution if it's not already scheduled using celery
Django - UpdateView with inline formsets trying to save duplicate records?
Sitemap and object with multiple urls
Django REST framework Group by fields and add extra contents

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!