Code

Opened 4 years ago

Closed 4 years ago

#12616 closed (wontfix)

dev server should not override directory listing of static media

Reported by: ahebert Owned by: nobody
Component: Core (Other) Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

The dev server can serve the static admin media file from a project directory, which is likely if you want to modify the look of the admin. When set to do so with directory listing allowed by 'show_indexes':True, an attempt to navigate the directory structure from a browser will result in a 401 "Permission Denied" page, which is broken when the same settings allow directory navigation of non-admin media.

An example to reproduce the problem has settings:

SITE_ROOT = os.path.dirname(os.path.realpath(__file__))
MEDIA_ROOT = os.path.join(SITE_ROOT,'media')
MEDIA_URL='/media/'
ADMIN_MEDIA_PREFIX='/media/admin/'

and a urlconf containing:

(r'^%s(?P<path>.*)$' % settings.MEDIA_URL[1:], 'django.views.static.serve', {'document_root': settings.MEDIA_ROOT, 'show_indexes': True}),

and running the server with the command

./manage.py runserver --adminmedia=media/admin

Attachments (1)

patch_admin_media_dir_list.diff (570 bytes) - added by ahebert 4 years ago.

Download all attachments as: .zip

Change History (5)

Changed 4 years ago by ahebert

comment:1 Changed 4 years ago by ahebert

  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to worksforme
  • Status changed from new to closed

Added a patch that fixes the problem.

comment:2 follow-up: Changed 4 years ago by ahebert

  • Resolution worksforme deleted
  • Status changed from closed to reopened

comment:3 in reply to: ↑ 2 Changed 4 years ago by ahebert

Replying to ahebert:
I think I misunderstood the "worksforme" resolution. The patch submitted works for me, but has not been reviewed or unit-tested, so I've re-opened.

comment:4 Changed 4 years ago by russellm

  • Resolution set to wontfix
  • Status changed from reopened to closed

I'm going to mark this wontfix. The approach you're describing requires that you have a static served copy of the admin media which the AdminMediaHandler falls back onto in order to determine whether a directory listing should be made visible.

What is needed here is an ability to turn on show_indexes on runserver, but that's a sufficient edge case that I don't think it's warranted.

Let me know if I've missed some crucial use case that requires that you be able to navigate a directory structure in a browser (as opposed to, say, a normal file system browser)

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.