1

如何限制对媒体图像 url 的访问,并使其只能由 django 中的访问所有者用户访问,

这是我的班级模型:

class private_image(models.Model):
    i_user = models.OneToOneField(User, related_name='related_PRF_user', on_delete=models.CASCADE)
    i_image= models.ImageField(upload_to='images', blank=True, null=True )

我的媒体设置是:

MEDIA_ROOT = os.path.join(BASE_DIR, 'media_root/')
MEDIA_URL = '/media_url/'

例如:如果请求用户不是同一所有者用户,我不希望用户在他们的浏览器中放置像这样的图像 url “http://127.0.0.1:8000/media_url/images/67155_0_AVemgEZ.jpg”并打开图像.

我相信,我可以创建一个小函数来检查访问用户和请求的 URL '/media_url/images/' 以获取图像名称,然后使用图像名称从数据库中获取一个对象,然后检查所有者(i_user)是否相同访问-用户。

但是我怎么能告诉 Django 在服务 MEDIA_URL 请求之前使用这个函数。

如果你有一个例子,那将非常有帮助。

先感谢您

4

1 回答 1

2

All requests for media should go throught a specific view.

myproject/urls.py:

from myproject.views import media_access

urlpatterns = [
    ...,
    path('media_url/images/<str:path>', media_access, name='media'),
    # or
    # url(r'^media_url/(?P<path>.*)', media_access, name='media'),
]

Add the view and check access.

myproject/views.py:

from django.http.response import FileResponse
from django.http import HttpResponseForbidden

def media_access(request, path):    
    access_granted = False

    user = request.user
    if user.is_authenticated():
        if user.is_staff:
            # If admin, everything is granted
            access_granted = True
        else:
            # For simple user, only their documents can be accessed
            doc = user.related_PRF_user.i_image  #Customize this...

            path = f"images/{path}"
            if path == doc:
                access_granted = True

    if access_granted:
        response = FileResponse(user.related_PRF_user.i_image)
        return response
    else:
        return HttpResponseForbidden('Not authorized to access this media.')

Plz tell me this works or not..

于 2021-04-26T17:35:44.863 回答