1

In my application I sometimes generate a new picture. After reading comments here I decided to store the pictures in the filesystem and the metadata in the database, so now my files are served statically independently of the database (the bd gives the user the filename that they want to access, which they then pull from a static fileserver).

However, the problem I have here is that I don't always want users to see pictures generated by other users. Let's say, for example, that user Joe creates pictures A and B, and user Sue creates C and D. I don't want Joe being able to see C and D and I dont want Sue seeing A and B. Since all the files are served statically, if Joe happens to guess the url for C, he can access it.

Since the way the pictures are served is pretty much out of control of my django, I'm not sure what the solution here would be, other than encrypting the files (which is complicated and resource-intensive)

Community
  • 1
  • 1
Goro
  • 9,919
  • 22
  • 74
  • 108
  • 2
    See http://serverfault.com/questions/332631/how-can-i-protect-files-on-my-nginx-server – sanmai Jan 14 '12 at 01:58
  • 2
    Also http://stackoverflow.com/questions/4022260/how-to-detect-x-accel-redirect-nginx-x-sendfile-apache-support-in-php – sanmai Jan 14 '12 at 01:59

2 Answers2

1

Use one or more MD5 hexdigest of some attribute as part of the image path; the path will be pretty random.

Paulo Scardine
  • 73,447
  • 11
  • 124
  • 153
1

The easy way is to use django send_file[1] to do it. This is easy to implement but does not scale well. I use it to serve dynamically generated reports. The only advantage of this solution is that it's all python code.

The better way is to use the information on sanmai's links. You can also take a look here: http://www.sensibledevelopment.com/2010/11/django-sendfile-an-for-abstraction-large-file-serving-in-django/ for some django specific information.

1: http://djangosnippets.org/snippets/101/

Bob Jansen
  • 1,215
  • 2
  • 12
  • 31