我可以使用Django来防止直接访问图像文件吗? [英] Can I use Django to prevent direct access to an image file?
问题描述
我想阻止我的网络用户只需右键点击图片并复制/共享网址。某些经过身份验证的用户可以访问某些图像,我希望尽可能强制执行。非认证用户应该无法访问映像文件。
由于性能问题,通常建议避免从数据库中存储/提取图像,从我已经阅读。
我认为有一个函数读取文件(服务器端,在python中)并将其插入网页(base64编码,可能还是其他方式)在Django视图中的功能。结合一个拒绝外部请求的.htaccess文件,这可能会起作用,但它似乎是资源密集型的。
还有其他选项可以执行此规则吗?我意识到用户可以截图,保存图像等,但我有责任尽可能多地执行这些限制,我最好的选择是什么?
编辑:我没有使用CDN的经验,但是如果它是一个可以满足这些需求的可行选项,那么愿意使用它。
咬。
会话中间件 - 不优雅,但它将 工作
您将需要不想通过标准apache / django静态文件配置公开提供的图像。
您的会话中间件可以检查路径的所有传入请求,如果路径是您的映像目录(例如/ privateimg /),并且用户未通过身份验证弹回它们或者将其与另一个图像(例如具有水印的图像)内联替换。
您可以查看django文档关于会话中间件的工作原理 https://docs.djangoproject.com/en/dev/topics/http/sessions/
人们可以仍然传递您的链接,但只有经过身份验证的用户才能实际看到所述链接的内容(称为门控您的内容)
详细说明:
settings.py
GATED_CONTENT =(
'/ some_content_dir /',#这是一个目录我们要门
'.pdf',#可能我们要打开整个内容类型
)
MIDDLEWARE_CLASSES =(
...#出的盒子中间件... blah blah
'yourapp.somemodule.sessionmiddleware.GatedContent',
)
然后你有以下的应用程序结构
yourapp
| -somemodule
| -sessionmiddleware.py
现在到肉(yum!)
sessionmiddleware.py
pre>
class GatedContent(object):
防止特定的内容目录和类型
暴露给非验证用户
def process_request(self,request):
path = request.path
user = request.user#开箱即用,YMMV
is_gated = False
在设置中选择.GATED_CONTENT:
如果path.startswith(gated)或path.endswith(gated):
is_gated = True
break
#验证用户是经过身份验证/有效的用户
如果is_gated而不是user.is_authenticated():
#处理重定向
I'd like to prevent my web users from simply right clicking an image and copying/sharing the URL. Certain authenticated users have access to certain images, and I'd like to enforce this as much as possible. Non authenticated users should have no access to image files.
It's generally recommended to avoid storing/fetching images from a DB, due to performance issues, from what I have read.
I've considered having a function that reads the file (server side, in python) and inserts it into the webpage (base64 encoded, possibly, or some other way) in the Django view functions. Combined with an .htaccess file that denies external requests, this would likely work, but it seems like it'd be resource intensive.
Is there any other options for enforcing this rule? I realize users can screenshot, save images, etc, but it's my responsibility to enforce these restrictions as much as possible, what are my best options?
edit: I have no experience using a CDN, but would be willing to use this if it's a viable option that covers these needs.
I'll bite.
Session Middleware - not elegant, but it will work
You'll want the images you don't want served publicly to not be served through your standard apache/django static files config.
your session middleware can then check all incoming requests for the path and if the path is your image directory (such as /privateimg/) and the user is not authenticated you can bounce them back out or replace it inline with another image (such as one that has a watermark).
You can check out the django docs on how session middleware works https://docs.djangoproject.com/en/dev/topics/http/sessions/
People can still pass your links around, but only authenticated users can actually see the contents of said links (called gating your content)
To elaborate:
settings.py
GATED_CONTENT = (
'/some_content_dir/', # This is a directory we want to gate
'.pdf', # maybe we want to gate an entire content type
)
MIDDLEWARE_CLASSES = (
... # Out of the box middleware...blah blah
'yourapp.somemodule.sessionmiddleware.GatedContent',
)
Then you have the following app structure
yourapp
|-somemodule
|-sessionmiddleware.py
Now to the meat (yum!)
sessionmiddleware.py
class GatedContent(object):
"""
Prevents specific content directories and types
from being exposed to non-authenticated users
"""
def process_request(self, request):
path = request.path
user = request.user # out of the box auth, YMMV
is_gated = False
for gated in settings.GATED_CONTENT:
if path.startswith(gated) or path.endswith(gated):
is_gated = True
break
# Validate the user is an authenticated/valid user
if is_gated and not user.is_authenticated():
# Handle redirect
这篇关于我可以使用Django来防止直接访问图像文件吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
