Django 安全用户到本地系统目录映射
Django secure user to local system directory mapping
我有一个问题,我必须安全地让登录用户从指定路径访问本地目录内容。 /DjangoApp/media/user1 即,当 user1 登录时,他们应该只能访问来自 /DjangoApp/media/user1 [=13 的内容=]
我当前的视图是:
def get_absolute_pathname(pathname='', safe=True):
if not pathname:
return os.path.join(MEDIA_ROOT, 'index')
if safe and '..' in pathname.split(os.path.sep):
return get_absolute_pathname(pathname='')
return os.path.join(MEDIA_ROOT, pathname)
@login_required
def retrieve_path(request, document_root, pathname=''):
pathname = None
if request.user.is_authenticated():
pathname = request.user.get_username()
abs_pathname = get_absolute_pathname(pathname)
url = document_root
response = HttpResponseRedirect(url)
return response
当前 URL 是:
url(regex = r'^%s(?P<path>.*)$' % settings.STATIC_URL[1:],
view = 'django.views.static.serve',
kwargs = { 'document_root': '/home/www/abc/DjangoProject/media/',
'show_indexes' : True}),
url(r'^user1/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user1',
}),
url(r'^user2/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user2',
}),
url(r'^user3/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user3',
}),
url(r'^user4/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user4',
}),
我能够直接从 url 访问 http://127.0.0.1:8000/DjangoApp/static/。但是我想限制访问。
我做错了什么以及如何使访问经过身份验证并仅限于固定路径?
谢谢
安全媒体文件不由匿名用户提供更好url保护...
使用@login_required 和 def protected_serve(request, path, document_root=None): 你可以保护它..
更多信息<a href="">How to to make a file private by securing the url that only authenticated users can see</a>
我有一个问题,我必须安全地让登录用户从指定路径访问本地目录内容。 /DjangoApp/media/user1 即,当 user1 登录时,他们应该只能访问来自 /DjangoApp/media/user1 [=13 的内容=]
我当前的视图是:
def get_absolute_pathname(pathname='', safe=True):
if not pathname:
return os.path.join(MEDIA_ROOT, 'index')
if safe and '..' in pathname.split(os.path.sep):
return get_absolute_pathname(pathname='')
return os.path.join(MEDIA_ROOT, pathname)
@login_required
def retrieve_path(request, document_root, pathname=''):
pathname = None
if request.user.is_authenticated():
pathname = request.user.get_username()
abs_pathname = get_absolute_pathname(pathname)
url = document_root
response = HttpResponseRedirect(url)
return response
当前 URL 是:
url(regex = r'^%s(?P<path>.*)$' % settings.STATIC_URL[1:],
view = 'django.views.static.serve',
kwargs = { 'document_root': '/home/www/abc/DjangoProject/media/',
'show_indexes' : True}),
url(r'^user1/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user1',
}),
url(r'^user2/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user2',
}),
url(r'^user3/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user3',
}),
url(r'^user4/(?P<pathname>.*)$', 'logd.views.retrieve_path', {
'document_root': 'http://127.0.0.1:8000/DjangoApp/static/user4',
}),
我能够直接从 url 访问 http://127.0.0.1:8000/DjangoApp/static/。但是我想限制访问。
我做错了什么以及如何使访问经过身份验证并仅限于固定路径?
谢谢
安全媒体文件不由匿名用户提供更好url保护...
使用@login_required 和 def protected_serve(request, path, document_root=None): 你可以保护它..
更多信息<a href="