When studying Django, the typical way to handle file upload was to create a media
folder on the server - setting MEDIA_ROOT
and MEDIA_URL
to settings.py
- where every uploaded file would go. In models, a FileField
or ImageField
is created, whose upload_to
is relative to MEDIA_ROOT
. In production, the webserver itself (eg Apache) is expected to serve content from the /media
URL, leaving only dynamic content to Django.
So far so good, the problem is that I would like to restrict the access of uploaded files to logged in users, according to some access control criteria. What is the right way to do this? Is Django or Apache the responsibility of doing this access control? (and if it is from Apache, how do you make use of the Django permissions system?)
For reference, here is my virtual host (use Django 1.4.14):
Alias /media/ /var/www/vhosts/example.com/httpdocs/media/
Alias /static/ /var/www/vhosts/example.com/httpdocs/static/
WSGIDaemonProcess exemplo threads=15 processes=5
WSGIProcessGroup exemplo
WSGIScriptAlias / /var/www/vhosts/example.com/exemplo.wsgi
P.S. For performance reasons, I would prefer that not all as% of% have access control - the case of user uploaded files that are universally accessible is more frequent than the case where the file is restricted. I could designate a subfolder for them (eg /media
) and let Django take care of that folder, but I do not know how to do this with only /media/restrito
and Alias
. Maybe I need WSGIScriptAlias
too, I do not know ... Anyway, I'm well lost, any reference on the subject would be very welcome.