Forums

Setting permissions for media files (Django)

Hi,

I'm hosting a Django web app and I would like to check some conditions on the user who is requesting a media that can contain sensitive informations before it is served (has to be the same user who uploaded the file, or another user in the same group, or an administrator), and eventually reject the request with a "403 error" if the conditions aren't met.

Little I learnt about this on the web, except that I shouldn't use Django or Python to serve my files, because this would consume a large amount of my - limited :( - avalaible CPU. This is in fact a job for the web server (nginx), and not for the web app. (Not sure about this point, hope I got it right...)

Only idea I found that meets my needs revolves around "X-Access-Redirect" but this topic (https://www.pythonanywhere.com/forums/topic/12223/) seems to state that it won't be possible to make this work on pythonanywhere. A quite obvious solution is proposed, but in a well-known CPU-killer fashion (if again I got right the previous point).

So the question is: any further idea on how to check a file authorization on the Django requesting user while still having the media served by nginx (or at least without leaving it all to weigh on my "CPU Usage" counter)? Or is the solution in the mentioned topic the only workable one?

Thanks in advance :)

EmanuelePersichini | 2 posts | May 27, 2022, 9:44 a.m. | permalink

If you want to have permissions set, you definitely should serve those files with Django, and not as static files (which are publicly available). It won't consume your CPU seconds, since (at least for now) web apps' processes are not being taken into account here.

Staff pafk | 2973 posts | PythonAnywhere staff | May 27, 2022, 9:54 a.m. | permalink

Fantastic!

Thank you for your answer.

EmanuelePersichini | 2 posts | May 27, 2022, 12:47 p.m. | permalink

Glad to hear that it is what you need!

Staff fjl | 4352 posts | PythonAnywhere staff | May 27, 2022, 7:12 p.m. | permalink