保护用户上传的文件django [英] protecting user uploaded files django

问题描述

如何允许用户将文件上传到他们自己的，用户指定的文件夹，并且仅查看他们已上传的文件？我正在使用Django文件传输。目前，它可以让我选择将媒体放入哪个文件，但是我可以将其放入任何用户的文件中，并查看每个用户的媒体。这是我的uploads / models.py：

How can I allow users to upload files to their own, user designated folder, and only see files that they have uploaded? I am using django file-transfer. Currently it gives me a choice of what file to put the media in, but I can put it in any user's file and view every user's media. Here is my uploads/models.py:

from django.db import models
from django.contrib.auth.models import User, UserManager

def uploadmodel_file_upload_to(instance, filename):
    print 'instance.user.username = '+ str(instance.user.username)
    return 'uploads/%s/%s' % (instance.user.username, filename)

class UploadModel(models.Model):
    user = models.ForeignKey('auth.user')
    file = models.FileField(upload_to=uploadmodel_file_upload_to)

推荐答案

uploadmodel_file_upload_to返回相对路径。要构建完整路径，django将设置settings.MEDIA_ROOT。

uploadmodel_file_upload_to returns a relative path. To build the full path, django prepends settings.MEDIA_ROOT. MEDIA_ROOT is supposed to be public readable.

因此我们想将文件保存在MEDIA_ROOT之外。将这样的内容添加到settings.py中：

So we want to save the file outside MEDIA_ROOT. Add something like this to settings.py:

import os.path
PROJECT_ROOT=os.path.abspath(os.path.dirname(__file__))
PROTECTED_MEDIA_ROOT=os.path.join(PROJECT_ROOT, 'protected_uploads')

现在，您可以更新uploadmodel_file_upload_to以返回绝对路径：

Now you can update uploadmodel_file_upload_to to return an absolute path:

def uploadmodel_file_upload_to(instance, filename):
    return '%s/%s/%s' % (settings.PROTECTED_MEDIA_ROOT, instance.user.username,
        filename)

现在文件已保存在/ project / path / protected_uploads中，我们需要添加一个视图以供使用，例如：

Now that the files are saved in /project/path/protected_uploads, we need to add a view to serve it, for example:

import os 
import mimetypes

from django import shortcuts
from django import http
from django.conf import settings
from django.views.static import was_modified_since
from django.utils.http import http_date

from .models import *

def serve_upload(request, upload_id):
    upload = shortcuts.get_object_or_404(UploadModel, pk=upload_id)
    fullpath = upload.file.path

    if request.user != upload.user:
        return http.HttpResponseForbidden()

    statobj = os.stat(fullpath)
    mimetype, encoding = mimetypes.guess_type(fullpath)
    mimetype = mimetype or 'application/octet-stream'
    if not was_modified_since(request.META.get('HTTP_IF_MODIFIED_SINCE'),
                              statobj.st_mtime, statobj.st_size):
        return http.HttpResponseNotModified(mimetype=mimetype)
    response = http.HttpResponse(open(fullpath, 'rb').read(), mimetype=mimetype)
    response["Last-Modified"] = http_date(statobj.st_mtime)
    response["Content-Length"] = statobj.st_size
    if encoding:
        response["Content-Encoding"] = encoding
    return response

和一个网址：

url(r'serve_upload/(?P<upload_id>\d+)/$', 'serve_upload'),

这篇关于保护用户上传的文件django的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！