如何保护 Django 媒体 url?

How to protect the Django media url?

在我的代码中,我知道如何保护我的 endpoint url。我可以这样做

class ApprovalViewSet(mixins.RetrieveModelMixin,
                      mixins.UpdateModelMixin,
                      mixins.ListModelMixin,
                      GenericViewSet):
    permission_classes = (IsAdminUser,)
    queryset = User.objects.all()
    serializer_class = ApprovalSerializer

问题:
但是,我的挑战性任务是每次都需要更改 /media url,因为它是敏感文件。我的文件存储在 AWS S3

问题:
1.如何在Django
中保护/mediaurl 2. 我的解决方法是不断更改 url。我该怎么做?

@markwalker_ 非常感谢您的评论。这是我的答案。 res 这里的变量很草率,因为它可以是 None 并引发错误。我稍后会在这个问题上添加我的异常定义

private放入settings.py AWS_DEFAULT_ACL = 'private'

import logging
import boto3
from botocore.exceptions import ClientError

logger = logging.getLogger('django')

def create_presigned_url(bucket_name, object_name, expiration=3600):
    """Generate a presigned URL to share an S3 object

    :param bucket_name: string
    :param object_name: string
    :param expiration: Time in seconds for the presigned URL to remain valid
    :return: Presigned URL as string. If error, returns None.
    """

    # Generate a presigned URL for the S3 object
    s3_client = boto3.client('s3')
    try:
        response = s3_client.generate_presigned_url('get_object',
                                                    Params={'Bucket': bucket_name,
                                                            'Key': object_name},
                                                    ExpiresIn=expiration)
    except ClientError as e:
        logging.error(e)
        return None

    # The response contains the presigned URL
    return response

那我就得override方法to_representation

class AWSImageField(serializers.ImageField):
    def to_representation(self, value):
        if not value:
            return None

        # `media/` is `MEDIA_URL`, but it is being used with `public-config`. I don't want to mess up the common use case
        url = create_presigned_url(settings.AWS_STORAGE_BUCKET_NAME, 'media/' + value.name)
        if url is not None:
            res = requests.get(url)

        return res.url

参考文献:
https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html