如何保护 Django 媒体 url?
How to protect the Django media url?
在我的代码中,我知道如何保护我的 endpoint url
。我可以这样做
class ApprovalViewSet(mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
mixins.ListModelMixin,
GenericViewSet):
permission_classes = (IsAdminUser,)
queryset = User.objects.all()
serializer_class = ApprovalSerializer
问题:
但是,我的挑战性任务是每次都需要更改 /media
url,因为它是敏感文件。我的文件存储在 AWS S3
问题:
1.如何在Django
中保护/media
url
2. 我的解决方法是不断更改 url
。我该怎么做?
@markwalker_ 非常感谢您的评论。这是我的答案。 res
这里的变量很草率,因为它可以是 None
并引发错误。我稍后会在这个问题上添加我的异常定义
将private
放入settings.py
AWS_DEFAULT_ACL = 'private'
import logging
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger('django')
def create_presigned_url(bucket_name, object_name, expiration=3600):
"""Generate a presigned URL to share an S3 object
:param bucket_name: string
:param object_name: string
:param expiration: Time in seconds for the presigned URL to remain valid
:return: Presigned URL as string. If error, returns None.
"""
# Generate a presigned URL for the S3 object
s3_client = boto3.client('s3')
try:
response = s3_client.generate_presigned_url('get_object',
Params={'Bucket': bucket_name,
'Key': object_name},
ExpiresIn=expiration)
except ClientError as e:
logging.error(e)
return None
# The response contains the presigned URL
return response
那我就得override
方法to_representation
class AWSImageField(serializers.ImageField):
def to_representation(self, value):
if not value:
return None
# `media/` is `MEDIA_URL`, but it is being used with `public-config`. I don't want to mess up the common use case
url = create_presigned_url(settings.AWS_STORAGE_BUCKET_NAME, 'media/' + value.name)
if url is not None:
res = requests.get(url)
return res.url
参考文献:
https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html
在我的代码中,我知道如何保护我的 endpoint url
。我可以这样做
class ApprovalViewSet(mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
mixins.ListModelMixin,
GenericViewSet):
permission_classes = (IsAdminUser,)
queryset = User.objects.all()
serializer_class = ApprovalSerializer
问题:
但是,我的挑战性任务是每次都需要更改 /media
url,因为它是敏感文件。我的文件存储在 AWS S3
问题:
1.如何在Django
中保护/media
url
2. 我的解决方法是不断更改 url
。我该怎么做?
@markwalker_ 非常感谢您的评论。这是我的答案。 res
这里的变量很草率,因为它可以是 None
并引发错误。我稍后会在这个问题上添加我的异常定义
将private
放入settings.py
AWS_DEFAULT_ACL = 'private'
import logging
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger('django')
def create_presigned_url(bucket_name, object_name, expiration=3600):
"""Generate a presigned URL to share an S3 object
:param bucket_name: string
:param object_name: string
:param expiration: Time in seconds for the presigned URL to remain valid
:return: Presigned URL as string. If error, returns None.
"""
# Generate a presigned URL for the S3 object
s3_client = boto3.client('s3')
try:
response = s3_client.generate_presigned_url('get_object',
Params={'Bucket': bucket_name,
'Key': object_name},
ExpiresIn=expiration)
except ClientError as e:
logging.error(e)
return None
# The response contains the presigned URL
return response
那我就得override
方法to_representation
class AWSImageField(serializers.ImageField):
def to_representation(self, value):
if not value:
return None
# `media/` is `MEDIA_URL`, but it is being used with `public-config`. I don't want to mess up the common use case
url = create_presigned_url(settings.AWS_STORAGE_BUCKET_NAME, 'media/' + value.name)
if url is not None:
res = requests.get(url)
return res.url
参考文献:
https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl
https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html