您需要登录Django中的媒体文件 [英] How do you Require Login for Media Files in Django
问题描述
我正在网站的用户注册部分的可下载PDF和电子表格中提供敏感信息。
I'm serving "sensitive" information in downloadable PDF's and Spreadsheets within a user registration section of a site.
有没有办法让django身份验证保护此媒体而不用提供服务(而不必使用基本身份验证手动登录)?
Is there a way to allow the django authentication to secure this media without serving it (and not have to manually login using basic auth)?
我猜猜theres(手指交叉) em> not 可以使用下面的psuedo代码来实现,但它有助于更好地说明最终目标。
I'm guessing theres (fingers crossed) not a way to do it with the psuedo code below, but it helps better illustrate the end goal.
#urls.py
(r'^protected_media/(?P<filename>.*)$', 'protected_media')
#views.py
from django.contrib.auth.decorators import login_required
@login_required
def protected_media(request, filename):
# @login_required bounces you out to the login url
# if logged in, serve "filename" from Apache
推荐答案
似乎我在代码中概述的方法应该可以工作。这与任何其他受保护的资源没有什么不同:您的视图可以从磁盘,数据库记录,渲染模板或任何内容中提供文件。正如login_required装饰器阻止未经授权的其他视图访问一样,它将阻止您访问受保护媒体的视图。
It seems to me that the method you outlined in your code should work. It's really no different than any other protected resource: your views can serve files from disks, records from databases, rendered templates or anything. Just as the login_required decorator prevents unauthorized access to other views, it will prevent such access to your view serving protected media.
我在这里错过了你的问题吗?请说明是否是这种情况。
Am I missing something from your question here? Please clarify if that's the case.
编辑:关于您的评论中的django doc链接:这是简单地从特定目录提供任何请求文件的方法。所以,在这个例子中,像 /site_media/foo.jpg 的URLS, /site_media/somefolder/bar.jpg 将自动在 document_root foo.jpg 和 somefolder / bar.jpg $ C>。基本上, document_root 下的每一件事都将公开。这显然是不安全的。所以你避免使用你的方法。
With regard to the django doc link in your comment: that's the method for simply serving any request file from a particular directory. So, in that example URLS like /site_media/foo.jpg, /site_media/somefolder/bar.jpg will automatically look for files foo.jpg and somefolder/bar.jpg under document_root. Basically, every thing under document_root will be publicly available. That's obviously insecure. So you avoid that with your method.
这也被认为是低效的,因为django只是添加了很多不必要的开销,当你需要像Apache这样的一个URL请求并将其映射到硬盘驱动器上的文件。 (你不需要django会话,请求处理等)
It's also considered inefficient because django is just adding a lot of unnecessary overhead when all you need is something like Apache to take a URL request and map it to a file on the hard drive. (You don't need django sessions, request processing, etc.)
在你的情况下,这可能不是一个很大的问题。首先,你已经确定了这个视图。其次,这取决于你的使用模式。您对这些文件有多少请求?你只使用django进行身份验证 - 这是否证明了其他开销?如果没有,您可以查看使用Apache服务这些文件并使用身份验证提供程序。有关更多信息,请参阅 mod_wsgi 文档:
In your case, this may not be such a big concern. First, you've secured the view. Second, it depends on your usage patterns. How many requests do you anticipate for these files? You're only using django for authentication -- does that justify other overhead? If not, you can look into serving those files with Apache and using an authentication provider. For more on this, see the mod_wsgi documentation:
- http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
- 请参阅Apache验证提供程序部分并搜索django
我相信在
mod_python下有类似的机制。 (更新:刚刚注意到另一个答案,请参阅安德烈的答案mod_python方法。)There are similar mechanisms available under
mod_pythonI believe. (Update: just noticed the other answer. Please see Andre's answer for themod_pythonmethod.)编辑2:关于提供文件的代码,请看这个代码片段:
EDIT 2: With regard to the code for serving a file, please see this snippet:
- http://www.djangosnippets.org/snippets/365/
send_file方法使用FileWrapper,它可以发送大的静态文件(不会将整个文件读入内存)。您需要根据您发送的文件类型(pdf,jpg等)更改content_type。The
send_filemethod uses a FileWrapper which is good for sending large static files back (it doesn't read the entire file into memory). You would need to change thecontent_typedepending on the type of file you're sending (pdf, jpg, etc).这篇关于您需要登录Django中的媒体文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
