如何通过保护仅经过身份验证的用户可以看到的URL来使文件成为私有文件

Question

如何通过保护仅经过身份验证的用户可以看到的URL来使文件成为私有文件

Rob*_*bin 10 python authentication django url file-access

我想知道是否有一种方法可以保护图像或文件在未经过身份验证时被隐藏.

假设我的网站中有一个图像,只有在该用户通过身份验证时才能看到该图像.但问题是我可以复制网址或在新标签中打开图片.

http://siteis.com/media/uploaded_files/1421499811_82_Chrysanthemum.jpg

而且,即使我没有通过身份验证,我也可以通过访问该网址来查看该特定图像.所以,我的问题是,如何保护文件,以便只有经过身份验证的用户才会看到？

更新:

视图:

def pictures(request, user_id):
    user = User.objects.get(id=user_id)
    all = user.photo_set.all()
    return render(request, 'pictures.html',{
        'pictures': all
    })

Run Code Online (Sandbox Code Playgroud)

楷模:

def get_upload_file_name(instance, filename):
    return "uploaded_files/%s_%s" %(str(time()).replace('.','_'), filename)

class Photo(models.Model):
    photo_privacy = models.CharField(max_length=1,choices=PRIVACY, default='F')
    user = models.ForeignKey(User)
    image = models.ImageField(upload_to=get_upload_file_name)

Run Code Online (Sandbox Code Playgroud)

设置:

if DEBUG:
    MEDIA_URL = '/media/'
    STATIC_ROOT = os.path.join(os.path.dirname(BASE_DIR), "myproject", "static", "static-only")
    MEDIA_ROOT = os.path.join(os.path.dirname(BASE_DIR), "myproject", "static", "media")
    STATICFILES_DIRS = (
    os.path.join(os.path.dirname(BASE_DIR), "myproject", "static", "static"),
    )

Run Code Online (Sandbox Code Playgroud)

更新:

模板:

{% if pictures %}
    {% for photo in pictures %}
        <img src="/media/{{ photo.image }}" width="300" alt="{{ photo.caption }}"/>
    {% endfor %}
{% else %}
    <p>You have no picture</p>
{% endif %}

Run Code Online (Sandbox Code Playgroud)

网址:

url(r'^(?P<user_name>[\w@%.]+)/photos/$', 'pictures.views.photos', name='photos'),

if settings.DEBUG:
    urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

Run Code Online (Sandbox Code Playgroud)

Answer 1

Raj*_*mon 9

通过保护任何媒体文件不被匿名用户提供,更好的方式保护网址.

代码(更新):

from django.conf.urls import patterns, include, url
from django.contrib.auth.decorators import login_required
from django.views.static import serve
from django.conf import settings

from django.core.exceptions import ObjectDoesNotExist
from django.shortcuts import HttpResponse

@login_required
def protected_serve(request, path, document_root=None):
    try:
        obj = Photobox.objects.get(user=request.user.id)
        obj_image_url = obj.image.url
        correct_image_url = obj_image_url.replace("/media/", "")
        if correct_image_url == path:
            return serve(request, path, document_root)
    except ObjectDoesNotExist:
        return HttpResponse("Sorry you don't have permission to access this file")


url(r'^{}(?P<path>.*)$'.format(settings.MEDIA_URL[1:]), protected_serve, {'file_root': settings.MEDIA_ROOT}),

Run Code Online (Sandbox Code Playgroud)

注意:以前任何登录用户都可以访问任何页面,现在此更新限制非用户查看其他文件...

归档时间：	10 年，7 月前
查看次数：	3028 次
最近记录：	8 年前