In my app, the user can select a Youtube video that will be downloaded to MEDIA_ROOT folder and then also made available for the user to download.
Whenever the user chooses another video to download, the previous one is deleted from MEDIA_ROOT. So at any given moment there is only one video sitting in the MEDIA_ROOT folder for a particular user.
Is there any way - apart from implementing user authentication and associating the downloaded files with a user through foreign key, which I feel is an overkill for only this task - of telling the users apart whenever such download request is being made, so that one user's request does not cause the deletion of the file downloaded by some other user (as all the files sit in the same MEDIA_ROOT folder)?
Assuming you have some sort of web server, you can create custom links that redirect through your web server and pass IP information, etc, so you can distinguish a user before one downloads a video. That is certainly one way of doing it without authentication and since the app/platform that tracks user data is in-house you don't have to worry about foreign keys, etc.
You can use cookies to uniquely identify users. Web browsers will keep sending that cookie value to your web server for as long as the web browser's cookie store is not cleared. Make sure to generate an hard to guess value for the web browser to store and you to identify with so that one cannot bruteforce that value and get access to data meant for other users. The common way is to generate say a 32 characters string from a CSPRNG.
You can have a go at this question to find out how to set cookies in Python Django: Django Cookies, how can I set them?
I would personally use built in Django Cookie Sessions: https://docs.djangoproject.com/en/2.2/topics/http/sessions/#using-cookie-based-sessions
Related
I want to create an application where user can upload their secret documents. Secret means no one can see the document even the super admin of the server can't even see the document. In other words I want system level authentication. Is there a way to do it with Django? How should I overcome this problem? I have a VPS to store files but I want to create separate document folder for each user which can only be accessed by the user. Not even by me or by the server admin. Any idea would be appreciated. What should be my approach?
I'm currently working with some people to develop an application that will display a "sound library" when the user selects an option on their voip phone. The idea is that the phone system will pass a url with a device id in it, and that will open the django app to the users' library. I was told to remove login/user authentication in order to make the process easier for the user. My question is, is there a way to create a user field and save the model for future retrieval via the url request alone? Do I need to pass the device id to some hidden form first and redirect to the main page, and query the users' objects via the device id? I know there are security concerns but was wondering if it's even possible, any help is appreciated!
You should try using Djago REST Framework, it will make it easy to retrieve data with urls using unique identifier.
Is there a rule for when to use Flask.config vs. flask.session to store variables?
Anything that is static, app-wide, doesn't change much, and has important information for all users, should use config. (e.g. secret keys, options to modify the app from project to project, emails, generic messages)
Session should only be used to store relevant user data as the data is modified through each page. (e.g. user login data, user preferences, user inputs from previous pages)
If you have to save something from Page 1 to Page 5 in your website for that particular user, then use session. Sessions should mainly be used based on the individual user.
Yes, most definitely.
The config is for global, project-level variables: the location of files, keys for any APIs you might be using, your database access settings, things like that.
The session is for variables related to the current user's session on the site: their previous choices on a multi-page form, preferences, login details, etc.
You definitely don't want to get these mixed up.
I'd like to prevent my web users from simply right clicking an image and copying/sharing the URL. Certain authenticated users have access to certain images, and I'd like to enforce this as much as possible. Non authenticated users should have no access to image files.
It's generally recommended to avoid storing/fetching images from a DB, due to performance issues, from what I have read.
I've considered having a function that reads the file (server side, in python) and inserts it into the webpage (base64 encoded, possibly, or some other way) in the Django view functions. Combined with an .htaccess file that denies external requests, this would likely work, but it seems like it'd be resource intensive.
Is there any other options for enforcing this rule? I realize users can screenshot, save images, etc, but it's my responsibility to enforce these restrictions as much as possible, what are my best options?
edit: I have no experience using a CDN, but would be willing to use this if it's a viable option that covers these needs.
I'll bite.
Session Middleware - not elegant, but it will work
You'll want the images you don't want served publicly to not be served through your standard apache/django static files config.
your session middleware can then check all incoming requests for the path and if the path is your image directory (such as /privateimg/) and the user is not authenticated you can bounce them back out or replace it inline with another image (such as one that has a watermark).
You can check out the django docs on how session middleware works https://docs.djangoproject.com/en/dev/topics/http/sessions/
People can still pass your links around, but only authenticated users can actually see the contents of said links (called gating your content)
To elaborate:
settings.py
GATED_CONTENT = (
'/some_content_dir/', # This is a directory we want to gate
'.pdf', # maybe we want to gate an entire content type
)
MIDDLEWARE_CLASSES = (
... # Out of the box middleware...blah blah
'yourapp.somemodule.sessionmiddleware.GatedContent',
)
Then you have the following app structure
yourapp
|-somemodule
|-sessionmiddleware.py
Now to the meat (yum!)
sessionmiddleware.py
class GatedContent(object):
"""
Prevents specific content directories and types
from being exposed to non-authenticated users
"""
def process_request(self, request):
path = request.path
user = request.user # out of the box auth, YMMV
is_gated = False
for gated in settings.GATED_CONTENT:
if path.startswith(gated) or path.endswith(gated):
is_gated = True
break
# Validate the user is an authenticated/valid user
if is_gated and not user.is_authenticated():
# Handle redirect
You might be interested in XSendfile.
This is most [elegant and] performance choice IMO: actual files will be served by you webserver, while access control to this files will be done using your Django app.
You may google for "django xsendfile", there are lot of useful posts.
How can I create a single log-in and profile for a network of three sites using Django?
I have a network of three sites and instead of having the user create a profile at each of the three sites, I'd like the user to only need to register one time, and then be able to use all three.
Is there an elegant solution to this problem?
Let the sites share the databases. Hence they will have a common user table.
Take a look at the django sites framework: http://docs.djangoproject.com/en/dev/ref/contrib/sites/
Depends on your server(s).
Do all the sites have access to the same DB? Then use dcrodjer's answer.
If not, you can implement a OAuth style Single Signon Service, that the other sites authenticate against.
Ex:
site1.example.com
site2.example.com
site3.example.com
siteN.example.com
Would auth against oauth.example.com
If you can put those three sites into subdomains of a single domain, then I'm almost sure you can stick to what Django offers. What I'm writing about is something like this:
site1.mydomain.com
site2.mydomain.com
site3.mydomain.com
-- where login is implemented at mydomain.com.
Basically, mydomain.com should serve a small Django page that implements only the login form and maintains session for ".mydomain.com" domain (note the leading dot - it's required for the session to propagate to site1..3 subdomains). So if you log into mydomain.com, you're effectively logged into all three subsites.
And the easiest way to share server-side auth and session data is to make ubsites 1,2,3 use two databases, one small database shared with mydomain.com for auth and session data, and the other one specific to given site.