0

I used this nice example to upload files to my webapp:

Need a minimal Django file upload example

it works well, and I can do most things with it. But when it lists the files they are a clickable link (obviously) and can be downloaded, but I want to only allow this if they are actually logged in. Which I have working thanks to the view decorator @login_required. They problem is if they have a direct link, they can download the file regardless

http://webserver.com/appname/location/media/myfile.docx

I want to lock down direct links and force them to login if it that was put in, the links are to things that are not going through the view though (as per that file upload example)

I fear, I have to lock it down at the server level (and I have no idea how to do that using the python manage.py runserver command for now and I am not sure how I could have apache2 (once in production) know that there is a user logged in and allow the url to that file?

Community
  • 1
  • 1
Codejoy
  • 3,722
  • 13
  • 59
  • 99
  • https://docs.djangoproject.com/en/1.9/topics/auth/default/#limiting-access-to-logged-in-users – Chuck May 09 '16 at 23:07
  • Okay this confuses me then. Cause I have my view locked down, with the @login_required and that works great, they can't upload files unless they are authenticated, and they cannot download anything (from the view) unless authenticated. The problem is if they have a link directly to the file, then they can download it without having to be logged in. An example like: http://localhost:8000/media/documents/2016/05/03/9781849511544.mobi – Codejoy May 09 '16 at 23:20
  • You have your view locked down? Sorry, I don't understand what you mean by locked down. – Chuck May 09 '16 at 23:21
  • updated comment with more info. I should of mentioned by locked down i meant, @login_required – Codejoy May 09 '16 at 23:23
  • 1
    Possible duplicate of [Django: preventing direct access to files](http://stackoverflow.com/questions/3901339/django-preventing-direct-access-to-files) – Chuck May 09 '16 at 23:27

0 Answers0