你如何要求在 Django 中登录媒体文件 [英] How do you Require Login for Media Files in Django
问题描述
我在网站的用户注册部分提供可下载 PDF 和电子表格中的敏感"信息.
I'm serving "sensitive" information in downloadable PDF's and Spreadsheets within a user registration section of a site.
有没有办法允许 django 身份验证来保护此媒体服务它(并且不必使用基本身份验证手动登录)?
Is there a way to allow the django authentication to secure this media without serving it (and not have to manually login using basic auth)?
我猜有(手指交叉)不是用下面的伪代码来做这件事的方法,但它有助于更好地说明最终目标.
I'm guessing theres (fingers crossed) not a way to do it with the psuedo code below, but it helps better illustrate the end goal.
#urls.py
(r'^protected_media/(?P<filename>.*)$', 'protected_media')
#views.py
from django.contrib.auth.decorators import login_required
@login_required
def protected_media(request, filename):
# @login_required bounces you out to the login url
# if logged in, serve "filename" from Apache
推荐答案
在我看来,您在代码中概述的方法应该可行.它确实与任何其他受保护资源没有什么不同:您的视图可以提供来自磁盘的文件、来自数据库的记录、呈现的模板或任何东西.正如 login_required 装饰器防止未经授权访问其他视图一样,它将防止对您提供受保护媒体的视图进行此类访问.
It seems to me that the method you outlined in your code should work. It's really no different than any other protected resource: your views can serve files from disks, records from databases, rendered templates or anything. Just as the login_required decorator prevents unauthorized access to other views, it will prevent such access to your view serving protected media.
我在您的问题中遗漏了什么吗?请澄清是否是这种情况.
Am I missing something from your question here? Please clarify if that's the case.
关于您评论中的 django doc 链接:这是简单地从特定目录提供任何请求文件的方法.因此,在那个像 /site_media/foo.jpg 这样的 URL 示例中,/site_media/somefolder/bar.jpg 将自动查找文件 foo.jpg> 和document_root 下的somefolder/bar.jpg.基本上,document_root 下的所有内容都将公开可用.这显然是不安全的.所以你用你的方法避免了这种情况.
With regard to the django doc link in your comment: that's the method for simply serving any request file from a particular directory. So, in that example URLS like /site_media/foo.jpg, /site_media/somefolder/bar.jpg will automatically look for files foo.jpg and somefolder/bar.jpg under document_root. Basically, every thing under document_root will be publicly available. That's obviously insecure. So you avoid that with your method.
它也被认为是低效的,因为当你需要的只是像 Apache 这样的东西来获取 URL 请求并将其映射到硬盘驱动器上的文件时,django 只是增加了很多不必要的开销.(您不需要 django 会话、请求处理等)
It's also considered inefficient because django is just adding a lot of unnecessary overhead when all you need is something like Apache to take a URL request and map it to a file on the hard drive. (You don't need django sessions, request processing, etc.)
就您而言,这可能不是一个大问题.首先,您已经保护了视图.其次,这取决于您的使用模式.您预计会有多少对这些文件的请求?您仅使用 django 进行身份验证——这是否证明其他开销是合理的?如果没有,您可以考虑使用 Apache 提供这些文件并使用身份验证提供程序.有关更多信息,请参阅 mod_wsgi 文档:
In your case, this may not be such a big concern. First, you've secured the view. Second, it depends on your usage patterns. How many requests do you anticipate for these files? You're only using django for authentication -- does that justify other overhead? If not, you can look into serving those files with Apache and using an authentication provider. For more on this, see the mod_wsgi documentation:
- http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
- 查看Apache Authentication Provider"部分并搜索 django
我相信在
mod_python下有类似的机制可用.(更新:刚刚注意到另一个答案.请参阅 Andre 对mod_python方法的回答.)There are similar mechanisms available under
mod_pythonI believe. (Update: just noticed the other answer. Please see Andre's answer for themod_pythonmethod.)编辑 2:关于提供文件的代码,请参阅以下代码段:
EDIT 2: With regard to the code for serving a file, please see this snippet:
send_file方法使用 FileWrapper,它非常适合将大型静态文件发回(它不会将整个文件读入内存).您需要根据您发送的文件类型(pdf、jpg 等)更改content_type.The
send_filemethod uses a FileWrapper which is good for sending large static files back (it doesn't read the entire file into memory). You would need to change thecontent_typedepending on the type of file you're sending (pdf, jpg, etc).这篇关于你如何要求在 Django 中登录媒体文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
