id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
12616	dev server should not override directory listing of static media	Arthur Hebert	nobody	"The dev server can serve the static admin media file from a project directory, which is likely if you want to modify the look of the admin. When set to do so with directory listing allowed by {{{'show_indexes':True}}}, an attempt to navigate the directory structure from a browser will result in a 401 ""Permission Denied"" page, which is broken when the same settings allow directory navigation of non-admin media.

An example to reproduce the problem has settings:
{{{
SITE_ROOT = os.path.dirname(os.path.realpath(__file__))
MEDIA_ROOT = os.path.join(SITE_ROOT,'media')
MEDIA_URL='/media/'
ADMIN_MEDIA_PREFIX='/media/admin/'
}}}

and a urlconf containing:

{{{
(r'^%s(?P<path>.*)$' % settings.MEDIA_URL[1:], 'django.views.static.serve', {'document_root': settings.MEDIA_ROOT, 'show_indexes': True}),
}}}

and running the server with the command

{{{
./manage.py runserver --adminmedia=media/admin
}}}"		closed	Core (Other)	1.1		wontfix			Unreviewed	1	0	0	0	0	0