How control access to static pages that are *not* part of a Django app?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How control access to static pages that are *not* part of a Django app?

Chris Seberino
My Django app only allows someone to access a /books page, that is
part of the Django app, if they are signed in.

The pages below that URL are just static directory listings of PDFs
all handled by Apache.
For example /books/book_1, /books/book_2, etc.

Because these directory listings aren't handled by Django, they don't
enjoy Django's access controls.  They don't even have a view since
they are just static pages handled by Apache.

Is there any way to somehow prevent access to them unless someone is
signed into my Django app?

chris

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Reply | Threaded
Open this post in threaded view
|

Re: How control access to static pages that are *not* part of a Django app?

Shawn Milochik
I'm dealing with the same issue, and it looks like I'm probably going to
adopt django-private-files for this.

http://pypi.python.org/pypi/django-private-files/0.1.2

It's on Read The Docs, bitbucket, and github. It does what I need it to
do, it works with nginx, and it's been maintained recently.

The closest competitor I found is django-protected-files, but it doesn't
look like it's been maintained for a long time.

Shawn


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Reply | Threaded
Open this post in threaded view
|

Re: How control access to static pages that are *not* part of a Django app?

DrBloodmoney
In reply to this post by Chris Seberino
On Mon, Aug 1, 2011 at 1:12 AM, Chris Seberino <[hidden email]> wrote:

> My Django app only allows someone to access a /books page, that is
> part of the Django app, if they are signed in.
>
> The pages below that URL are just static directory listings of PDFs
> all handled by Apache.
> For example /books/book_1, /books/book_2, etc.
>
> Because these directory listings aren't handled by Django, they don't
> enjoy Django's access controls.  They don't even have a view since
> they are just static pages handled by Apache.
>
> Is there any way to somehow prevent access to them unless someone is
> signed into my Django app?
>
> chris
>


You can look into protecting them with mod_xsendfile for Apache
(X-accel-redirect for nginx). Basically you restrict access to the
directory from Apache so someone cannot naively navigate to that
url/directory then set response headers in your django app. Apache
will then read those response headers and serve the protected file.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Reply | Threaded
Open this post in threaded view
|

Re: How control access to static pages that are *not* part of a Django app?

Chris Seberino


On Aug 1, 7:11 am, DrBloodmoney <[hidden email]> wrote:
> You can look into protecting them with mod_xsendfile for Apache

Thanks.  I'll look into that.  Is there no way to have a view hand off
a page to Apache?
If there was, I could have a view that was password protected and only
when I was in the view would I allow the apache page to be served.

Alternatively, the view could simply load a static file and present
that I suppose somehow.  Not sure.

cs

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Reply | Threaded
Open this post in threaded view
|

Re: How control access to static pages that are *not* part of a Django app?

Javier Guerra Giraldez
On Mon, Aug 1, 2011 at 2:51 PM, Chris Seberino <[hidden email]> wrote:
> Thanks.  I'll look into that.  Is there no way to have a view hand off
> a page to Apache?
> If there was, I could have a view that was password protected and only
> when I was in the view would I allow the apache page to be served.

that's exactly what  mod_xsendfile (and X-accel-redirect for nginx)
does.  in short, any response from Django that contains such header is
replaced by the frontend server with the file.

--
Javier

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Reply | Threaded
Open this post in threaded view
|

Re: How control access to static pages that are *not* part of a Django app?

DrBloodmoney
In reply to this post by Chris Seberino
On Mon, Aug 1, 2011 at 3:51 PM, Chris Seberino <[hidden email]> wrote:
>
>
> On Aug 1, 7:11 am, DrBloodmoney <[hidden email]> wrote:
>> You can look into protecting them with mod_xsendfile for Apache
>
> Thanks.  I'll look into that.  Is there no way to have a view hand off
> a page to Apache?

Like Javier mentioned, this is exactly what mod_xsendfiledoes. Check
out this answer[1] on StackOverflow.

[1] http://stackoverflow.com/questions/1156246/having-django-serve-downloadable-files/1158750#1158750

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.