[Django] #28540: When you save three or more ImageField in admin file perm = 0o600

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #28540: When you save three or more ImageField in admin file perm = 0o600

Django
#28540: When you save three or more ImageField in admin file perm = 0o600
-------------------------------------+-------------------------------------
               Reporter:  Cotest     |          Owner:  nobody
                   Type:  Bug        |         Status:  new
              Component:  File       |        Version:  1.11
  uploads/storage                    |       Keywords:  ImageField, save,
               Severity:  Normal     |  permissions
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 This bug find in prod server (nginx, supervisor + gunicorn)

 I have models:
 MainModel() and
 SubModel():
  main_id = FK(MainModel)
  im1 = ImageField()
  im2 = ImageField()
  im3 = ImageField()

 When I fill SubModel object in admin (as InlineAdmin) and click save
 button, all images are saved, but permissions == 0600.
 If I fill any two imgs (or one), all is well.
 Django 1.10.5 - this bug not found.

 Sorry for my English.

--
Ticket URL: <https://code.djangoproject.com/ticket/28540>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/049.09c051f62af1db680cb9d28ace7ce0a6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: When you save three or more ImageField in admin file perm = 0o600

Django
#28540: When you save three or more ImageField in admin file perm = 0o600
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  File                 |                  Version:  1.11
  uploads/storage                    |
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:
  permissions                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Old description:

> This bug find in prod server (nginx, supervisor + gunicorn)
>
> I have models:
> MainModel() and
> SubModel():
>  main_id = FK(MainModel)
>  im1 = ImageField()
>  im2 = ImageField()
>  im3 = ImageField()
>
> When I fill SubModel object in admin (as InlineAdmin) and click save
> button, all images are saved, but permissions == 0600.
> If I fill any two imgs (or one), all is well.
> Django 1.10.5 - this bug not found.
>
> Sorry for my English.
New description:

 This bug find in prod server (nginx, supervisor + gunicorn)

 I have models: `MainModel()` and
 {{{
 SubModel(models.Model):
     main_id = FK(MainModel)
     im1 = ImageField()
     im2 = ImageField()
     im3 = ImageField()
 }}}
 When I fill `SubModel` object in admin (as InlineAdmin) and click save
 button, all images are saved, but permissions == 0600.
 If I fill any two imgs (or one), all is well.
 Django 1.10.5 - this bug not found.

 Sorry for my English.

--

Comment (by Tim Graham):

 Have you set `settings.FILE_UPLOAD_PERMISSIONS`? Can you reproduce the
 problem in a non-production environment? It's unclear if someone could
 reproduce the problem based on the little information you provided. Can
 you provide a minimal sample project that reproduces the issue? Can you
 [https://docs.djangoproject.com/en/dev/internals/contributing/triaging-
 tickets/#bisecting-a-regression bisect the regression] to determine where
 the behavior changed?

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.fa6d0f654e4b13eafabd836fb3bc432e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: When you save three or more ImageField in admin file perm = 0o600

Django
In reply to this post by Django
#28540: When you save three or more ImageField in admin file perm = 0o600
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:  Bug                  |                   Status:  closed
    Component:  File                 |                  Version:  1.11
  uploads/storage                    |
     Severity:  Normal               |               Resolution:  needsinfo
     Keywords:  ImageField, save,    |             Triage Stage:
  permissions                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * status:  new => closed
 * resolution:   => needsinfo


--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.2e2dc6183a87a868d6166ff3b30a1797%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: When you save three or more ImageField in admin file perm = 0o600

Django
In reply to this post by Django
#28540: When you save three or more ImageField in admin file perm = 0o600
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:  Bug                  |                   Status:  closed
    Component:  File                 |                  Version:  1.11
  uploads/storage                    |
     Severity:  Normal               |               Resolution:  needsinfo
     Keywords:  ImageField, save,    |             Triage Stage:
  permissions                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Xavier Ordoquy):

 Been hitting the same issue although it's somewhat inconsistent. Some
 context:
 - Only have one FileField on the model.
 - So far, it's been happening and reproduced on production with only one
 file (24 uploaded files)

 We'll set `FILE_UPLOAD_PERMISSIONS` and see if that fixes the issue.

 Meanwhile, here's the raw unedited model. I don't think it has anything
 fancy and no signal:

 {{{
 @python_2_unicode_compatible
 class Livret(models.Model):
     bDisplay = models.BooleanField("Utilisé ce semestre", default=True)
     nom = models.CharField(_("Nom"), max_length=255, blank=False,
 null=False)
     file = models.FileField(_("Fichier"), upload_to="PDF")
     infos = models.TextField(blank=True, null=True)
     tags = TaggableManager(blank=True)
     events = models.ManyToManyField(Event, related_name='livrets',
 verbose_name=("Events"), blank=True)

     def __str__(self):
         return self.nom
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.3916e72f4645a63ecf765175d29b02d8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: When you save three or more ImageField in admin file perm = 0o600

Django
In reply to this post by Django
#28540: When you save three or more ImageField in admin file perm = 0o600
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  File                 |                  Version:  1.11
  uploads/storage                    |
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:
  permissions                        |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Simen Heggestøyl):

 * cc: Simen Heggestøyl (added)
 * status:  closed => new
 * resolution:  needsinfo =>


Comment:

 We've hit the same issue, and I've identified
 f734e2d4b2fc4391a4d097b80357724815c1d414 as the offending commit.

 The issue seems to be that when `FILE_UPLOAD_PERMISSIONS` is `None`, the
 default system permissions are used. This worked fine for us, because our
 system default is 644, which is what we wanted. After
 f734e2d4b2fc4391a4d097b80357724815c1d414 however, when the uploaded file
 is sufficiently large, the system's permissions for temporary files is
 used instead (which was 600 in our case).

 Setting `FILE_UPLOAD_PERMISSIONS` explicitly fixes the issue, but I think
 this behavioral change should be mentioned in the release notes.

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.e22bfce2a0a2ab079cc19d26a79dff36%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: When you save three or more ImageField in admin file perm = 0o600

Django
In reply to this post by Django
#28540: When you save three or more ImageField in admin file perm = 0o600
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  File                 |                  Version:  1.11
  uploads/storage                    |
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Simon Charette):

 * stage:  Unreviewed => Accepted


--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.fe83f75370db078fb8010aff59703e29%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: Document changes to file upload permissions in Django 1.11 (was: When you save three or more ImageField in admin file perm = 0o600)

Django
In reply to this post by Django
#28540: Document changes to file upload permissions in Django 1.11
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

 * component:  File uploads/storage => Documentation
 * type:  Bug => Cleanup/optimization


Comment:

 The behavior might also be mentioned somewhere in the file upload
 documentation.

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.008ef043a61e10ae0ed7b16c8950e697%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: Document changes to file upload permissions in Django 1.11

Django
In reply to this post by Django
#28540: Document changes to file upload permissions in Django 1.11
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by René Fleschenberg):

 Are you sure that we should consider this a documentation bug? I think it
 doesn't make sense to use different permissions depending on the file
 size.

 I know I am late to the party, but just in case it is of any use, I set up
 a minimal project that demonstrates the issue:
 https://github.com/rfleschenberg/django-file-upload-bug

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.2274b1a56bb7015896ad5a87b26e469b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: Document changes to file upload permissions in Django 1.11

Django
In reply to this post by Django
#28540: Document changes to file upload permissions in Django 1.11
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

 No, I'm not sure. I don't think I investigated the issue in detail.

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.b9692518206c9c93812b7bcbfed0745e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: Document changes to file upload permissions in Django 1.11

Django
In reply to this post by Django
#28540: Document changes to file upload permissions in Django 1.11
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Keryn Knight):

 * cc: Keryn Knight (added)


--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.66fbf1221fefd32a639df3cdddf4c86f%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: Document changes to file upload permissions in Django 1.11

Django
In reply to this post by Django
#28540: Document changes to file upload permissions in Django 1.11
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Claude Paroz):

 * has_patch:  0 => 1


Comment:

 See [https://github.com/django/django/pull/10116 this PR] as a possible
 approach.

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.8d30af9fb89767e23474c3a72632d76b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28540: Document changes to file upload permissions in Django 1.11

Django
In reply to this post by Django
#28540: Document changes to file upload permissions in Django 1.11
-------------------------------------+-------------------------------------
     Reporter:  Yaroslav Demidenko   |                    Owner:  nobody
         Type:                       |                   Status:  new
  Cleanup/optimization               |
    Component:  Documentation        |                  Version:  1.11
     Severity:  Normal               |               Resolution:
     Keywords:  ImageField, save,    |             Triage Stage:  Accepted
  permissions                        |
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

 As I mentioned in the PR discussion, the new behavior seems consistent
 with the
 [https://github.com/django/django/commit/ff420b43647dd7f149f000efd2c7eb077f6ba5cf
 original documentation] added with the introduction of the
 `FILE_UPLOAD_PERMISSIONS` setting:
  On most platforms, temporary files will have a mode of `0600`, and files
 saved from memory will be saved using thesystem's standard umask.

 By default, `MemoryFileUploadHandler` is used for files up to
 `settings.FILE_UPLOAD_MAX_MEMORY_SIZE`, otherwise
 `TemporaryFileUploadHandler` is used.

 If we decide not to make a change (probably the discussion should move to
 django-developers), then we could at least add a note to the deployment
 checklist. Carlton proposed adding a system check that warns if the
 `FILE_UPLOAD_PERMISSIONS` setting isn't set but that feels a bit heavy
 handed as none of the open source Django projects I checked have specified
 this setting so presumably it isn't a common issue.

--
Ticket URL: <https://code.djangoproject.com/ticket/28540#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.d48d25a4b8b3f7b89b084ed755cb1a4f%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.