dev server should not override directory listing of static media

[Arthur Hebert]

The dev server can serve the static admin media file from a project directory, which is likely if you want to modify the look of the admin. When set to do so with directory listing allowed by 'show_indexes':True, an attempt to navigate the directory structure from a browser will result in a 401 "Permission Denied" page, which is broken when the same settings allow directory navigation of non-admin media.

An example to reproduce the problem has settings:

SITE_ROOT = os.path.dirname(os.path.realpath(__file__))
MEDIA_ROOT = os.path.join(SITE_ROOT,'media')
MEDIA_URL='/media/'
ADMIN_MEDIA_PREFIX='/media/admin/'

and a urlconf containing:

(r'^%s(?P<path>.*)$' % settings.MEDIA_URL[1:], 'django.views.static.serve', {'document_root': settings.MEDIA_ROOT, 'show_indexes': True}),

and running the server with the command

./manage.py runserver --adminmedia=media/admin

[Arthur Hebert]

Added a patch that fixes the problem.

[Arthur Hebert]

Replying to ahebert:
I think I misunderstood the "worksforme" resolution. The patch submitted works for me, but has not been reviewed or unit-tested, so I've re-opened.

[Russell Keith-Magee]

I'm going to mark this wontfix. The approach you're describing requires that you have a static served copy of the admin media which the AdminMediaHandler falls back onto in order to determine whether a directory listing should be made visible.

What is needed here is an ability to turn on show_indexes on runserver, but that's a sufficient edge case that I don't think it's warranted.

Let me know if I've missed some crucial use case that requires that you be able to navigate a directory structure in a browser (as opposed to, say, a normal file system browser)