I am serving "sensitive" information in downloadable PDF's and Excel spreadsheets inside a user registration portion of a website.
It is possible to method to permit the django authentication to secure this media without serving it (without having to by hand login using fundamental auth)?
I am speculating theres (fingers entered) not a method to get it done using the psuedo code below, however it helps better illustrate the finish goal.
#web addresses.py (r'^protected_media/(?P<filename>.*)$', 'protected_media') #sights.py from django.contrib.auth.designers import login_needed @login_needed def protected_media(request, filename): # @login_needed bounces you to the login url # if drenched in, serve "filename" from Apache
It appears in my experience the method you layed out inside your code should work. It's not diverse from every other protected resource: your sights can serve files from disks, records from databases, made templates or anything. Just like the login_needed decorator prevents unauthorized use of other sights, it'll prevent such use of your view serving protected media.
Am I missing something out of your question here? Please clarify if that is the situation.
EDIT: Regarding the django doc link inside your comment: this is the way of simply serving any request file from the particular directory. So, for the reason that example Web addresses like
/site_media/somefolder/bar.digital will instantly search for files
document_root. Essentially, every factor under
document_root is going to be openly available. That's clearly insecure. Which means you avoid by using your method.
It is also considered inefficient because django is simply adding lots of unnecessary overhead when you just need something similar to Apache to consider a URL request and map it to some file around the hard disk. (You do not need django periods, request processing, etc.)
Inside your situation, it isn't really this type of large concern. First, you've guaranteed the vista. Second, it is dependent in your usage designs. The number of demands would you anticipate of these files? You are only using django for authentication -- does that justify other overhead? Otherwise, you are able to consider serving individuals files with Apache and taking advantage of an authentication provider. For additional about this, begin to see the
- begin to see the section "Apache Authentication Provider" and check for django
You will find similar systems available under
mod_python In my opinion. (Update: just observed another answer. Please visit Andre's answer for that
EDIT 2: Regarding the code for serving personal files, please visit this snippet:
send_file method utilizes a FileWrapper which will work for delivering large static files back (it does not browse the entire file into memory). You should alter the
content_type with respect to the kind of file you are delivering (pdf, digital, etc).