Restrict downloading of files to authenticated Django users only?

Question

I'd like to restrict access to a folder of documents to only those who are currently logged into my Django website. I know that it is bad practice to serve up files directly from Django (since this should be Apache's job), so what is the best practice here?

I've read about installing mod_xsendfile and then simply having an authentication-required view that does something like this:

response = HttpResponse(mimetype='application/force-download')
response['Content-Disposition'] = 'attachment; filename=%s' % smart_str(file_name)
response['X-Sendfile'] = smart_str(path_to_file)
return response

However, I'm not positive on the steps I need to follow to install mod_xsendfile on my existing Django installation on Webfaction. (My linux skills are still a bit lacking, sadly. But I'm good at following directions!)

Any help is greatly appreciated. Thanks!

Accepted Answer

0

We have a post on our old forums on how to install mod_xsendfile.

Don't forget to specify

XSendFile on
XSendFilePath /full/path/to/those/files/I/wanna/send/

in your httpd.conf file (for mod_xsendfile 0.12 and up)

If you don't want to use mod_xsendfile you could use this from Stackoverflow:

@login_required
def serve_file(request, filename):
    fullname = myapp.settings.PRIVATE_AREA+filename
    try:
        f = file(fullname, "rb")
    except Exception, e:
        return page_not_found(request, template_name='404.html')
    try:
        wrapper = FileWrapper(f)
        response = HttpResponse(wrapper, mimetype=mimetypes.guess_type(filename))
        response['Content-Length'] = os.path.getsize(fullname)
        return response
    except Exception, e:
        return page_not_found(request, template_name='500.html')

permanent link

answered 13 Oct '11, 09:26

timg ♦♦
1.3k●4
accept rate: 30%

Thanks, the instructions on installing mod_xsendfile worked out great.

(14 Oct '11, 12:22) vkdev

On older (RedHat 3/4) servers, you can't use /usr/sbin/apxs as it generates incompatible .so files. Instead, build apxs from source and use it, like this:

mkdir -p ~/xsend/src
cd ~/xsend/src
wget http://apache.tradebit.com/pub//httpd/httpd-2.2.21.tar.gz
tar -xzf httpd-2.2.21.tar.gz
cd httpd-2.2.21
./configure --prefix=$HOME/xsend
make && make install

cd $HOME/xsend/src
wget --no-check-certificate https://tn123.org/mod_xsendfile/mod_xsendfile.c
$HOME/xsend/bin/apxs -c mod_xsendfile.c
ld -Bshareable -o mod_xsendfile.so mod_xsendfile.o

# replace "DJANGO" with your django application name:

# edit your httpd.conf:
  # vim $HOME/webapps/DJANGO/apache2/conf/httpd.conf
  # Add:
  #     LoadModule xsendfile_module  modules/mod_xsendfile.so
  #     XSendFile on
  #     XSendFilePath /path/to/your/protected/media

cp mod_xsendfile.so $HOME/webapps/DJANGO/apache2/modules/
$HOME/webapps/DJANGO/apache2/bin/restart

Hope that helps!

(27 Oct '11, 22:47) ryans ♦♦

Restrict downloading of files to authenticated Django users only?

Follow this question

Related questions