django authentication .htaccess static

In my app users can uplo开发者_如何学Cad files for other users. To make the uploaded files accesible only for the addresse I need some kind of static files authentication system.

My idea, is to create the apache hosted directory for each user and to limit access to this derectory using .htaccess.

This means that each time new django user is created, I need to create a directory and the appropriate .htaccess file in it. I know I should do it using post_save signals on User model but I don't know how to create the .htaccess in the user's directory from python level. Can you help me with that?

Or perhaps you have better solution to my problem?

1. Use python to rewrite the .htaccess automatically?
2. Use a database with users and use a Apache sessions to authenticate?

Why not have an PrivateUploadedFile object that has a field for the file and a m2m relation for any Users who are allowed to read that file? Then you don't have to mess with Apache conf at all...

from django.contrib.auth.models import User
from django.db import models
import hashlib

def generate_obfuscated_filename(instance, filename):
   hashed_filename = hashlib.sha1(str(filename)) #you could salt this with something
   return u"your/upload/path/%s.%s" % (hashed_filename, filename.split(".")[-1]) #includes original file format extension



class PrivateUploadedFile(models.Model):
  file = models.FileField(upload_to=generate_obfuscated_filename)
  recipients = models.ManyToManyField('User')
  uploader = models.ForeignKey('User', related_name="files_uploaded")

  def available_to(self, user):
     #call this as my_uploaded_file_instance.available_to(request.user) or any other user object you want
     return user in self.recipients.all() #NB: not partic. efficient, but can be tuned

Came across this django-sendfile which can be used to serve static files. Might be helpful.

Have Django handle authentication and authorization as normal, then use Apache's mod_xsendfile to have Apache handle sending the actual file. Remember to have the files uploaded to a place that cannot be accessed directly, ideally outside Apache's document root.

This question has a good example of how to implement this behaviour, but it basically boils down to setting response['X-Sendfile'] = file_path in your view.

django-sendfile does the same thing, but for several different web servers (and convenience shortcuts), and django-private-files is the same, but also implements PrivateFileField

Add a view that controls the authentication of the user, and serve the file via django's static files serving tools:

def get_file(request, some_id):
    # check that the user is allowed to see the file
    # obtain the file name:
    path = path_from_id(some_id)
    # serve the file:
    return django.views.static.serve(request, path, document_root=your_doc_root)

This is a perfectly secure solution, but perhaps not ideal if you serve an enormous of files in that way.

Edit: the disclaimer on the django page does not apply here. Obviously, it would be inefficient to serve all your files with static.serve. It is however secure in the sense that you only serve the files to the users that are allowed to.