I am building a django/s3 application with the following behaviour:
我正在构建一个django / s3应用程序,具有以下行为:
- User logs in
- User uploads a document -> document goes to S3 (eventually with a UID name and an alias in the DB?)
- User can download the document
用户登录
用户上传文档 - >文档转到S3(最终在数据库中有UID名称和别名?)
用户可以下载该文档
I'm looking for a way to deny the other users (or, even worse, not logged) to query and get access to the files. One solution I could find is:
我正在寻找一种方法来拒绝其他用户(或者更糟糕的是,没有记录)来查询和访问文件。我能找到的一个解决方案是:
- for every file, the page has links to a processing script
- when the link is clicked, the view processes it (checks user is authenticated, determines the right file in S3) and redirects to it
对于每个文件,该页面都包含指向处理脚本的链接
单击链接时,视图会对其进行处理(检查用户是否经过身份验证,在S3中确定正确的文件)并重定向到该链接
Is this enough? Are there more elegant solutions to this?
这够了吗?有更优雅的解决方案吗?
1 个解决方案
#1
6
Don't make your files public. This will prevent non-authorised users from accessing the files.
不要公开您的文件。这将阻止未授权用户访问文件。
Then in your Django app, you can generate urls with a querystring that allows an authorised user to access an S3 file for a limited time.
然后在您的Django应用程序中,您可以生成带有查询字符串的URL,允许授权用户在限定时间内访问S3文件。
The amazon docs for querystring request authentication have more information.
用于查询字符串请求身份验证的amazon docs有更多信息。
#1
6
Don't make your files public. This will prevent non-authorised users from accessing the files.
不要公开您的文件。这将阻止未授权用户访问文件。
Then in your Django app, you can generate urls with a querystring that allows an authorised user to access an S3 file for a limited time.
然后在您的Django应用程序中,您可以生成带有查询字符串的URL,允许授权用户在限定时间内访问S3文件。
The amazon docs for querystring request authentication have more information.
用于查询字符串请求身份验证的amazon docs有更多信息。