#21219 closed New feature (fixed)

The FILE_UPLOAD_PERMISSIONS should not be used when deploying static files

Reported by: dblack+django@… Owned by: vajrasky
Component: contrib.staticfiles Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The FILE_UPLOAD_PERMISSIONS permission is used in the django.contrib.staticfiles.storage.staticfiles_storage backend *and* it really shouldn't be. The use of the FILE_UPLOAD_PERMISSIONS permission to govern the deployed permission of static files is not documented so it should be possible to make a new STATIC_FILE_PERMISSIONS setting which is used instead of FILE_UPLOAD_PERMISSIONS during collectstatic :-)

Attachments (1)

add_static_file_permission.diff (7.0 KB) - added by vajrasky 22 months ago.
Added STATIC_FILE_PERMISSIONS to collectstatic and tested it and documented it!

Download all attachments as: .zip

Change History (12)

comment:1 Changed 22 months ago by aaugustin

  • Component changed from File uploads/storage to contrib.staticfiles
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

Changed 22 months ago by vajrasky

Added STATIC_FILE_PERMISSIONS to collectstatic and tested it and documented it!

comment:2 Changed 22 months ago by timo

  • Has patch set
  • Type changed from Cleanup/optimization to New feature

@vajrasky - any chance you can make a pull request on github so we can more easily comment on the patch?

Also don't forget to tick "Has patch" so the ticket shows up for review.

comment:3 Changed 22 months ago by vajrasky

$ git push origin ticket_21219
error: The requested URL returned error: 403 Forbidden while accessing https://vajrasky@github.com/django/django.git/info/refs?service=git-receive-pack
fatal: HTTP request failed

@timo, I am working on it. Probably it takes longer time since I need to learn how to solve this problem.

comment:4 Changed 22 months ago by vajrasky

Apparently I did not fork the django repo first from my github account. Now I managed to make a pull request! https://github.com/django/django/pull/1747

comment:5 Changed 22 months ago by timo

Rather than adding a setting for this (we are trying to avoid settings), should we instead suggest subclassing the STATICFILES_STORAGE class and overriding the new permissions_mode attribute this patch offers?

comment:6 Changed 22 months ago by vajrasky

  • Owner changed from nobody to vajrasky
  • Status changed from new to assigned

Let me get this straight.

So FileSystemStorage has self.file_permissions_mode and self.directory_permissions_mode. Their values come from settings.FILE_UPLOAD_PERMISSIONS and settings.FILE_UPLOAD_DIRECTORY_PERMISSIONS.

For StaticFilesStorage, the situation is same. But if you dislike the permissions, all you have to do is...

class CustomStaticFilesStorage(StaticFilesStorage):
  def __init__(self, location=None, base_url=None, *args, **kwargs):
    self.file_permissions_mode = 0o644
    self.directory_permissions_mode = 0o600
    super(CustomStaticFilesStorage, self).__init__(location, base_url,
                                                 *args, **kwargs)

settings.STATICFILES_STORAGE = CustomStaticFilesStorage()

Is that what is in your mind?

comment:7 Changed 22 months ago by timo

Correct, although I would expect the subclass to simply look like this:

class CustomStaticFilesStorage(StaticFilesStorage):
    file_permissions_mode = 0o644
    directory_permissions_mode = 0o600

comment:8 Changed 22 months ago by vajrasky

This is the new pull request. https://github.com/django/django/pull/1779

Some notes:

  1. There is no way to set permission to the directories of static files either with FILE_UPLOAD_PERMISSIONS and FILE_DIRECTORY_UPLOAD_PERMISSIONS. Therefore I can not override the directories permission by subclassing StaticFilesStorage without a lot of works. I prefer to create a separate ticket for this bug. One step at at time.
  1. At first, I want to add file_permissions_mode class attribute in Storage or FileSystemStorage class and give the default value of FILE_UPLOAD_PERMISSIONS to this class attribute. However some tests depend on the behaviour of FileSystemStorage checking the value of FILE_UPLOAD_PERMISSIONS at the *last minute* before setting the permissions to uploaded files. So from engineering perspective, this behaviour is a little bit inconsistent with the StaticFilesStorage. But there is nothing I can do.

comment:9 Changed 21 months ago by timo

Actually in receiving some feedback on another ticket, I think it would be better to use an instance attribute. I've sent an updated pull request. Please take a look and let me know if it looks good.

comment:10 Changed 21 months ago by vajrasky

Aside from 0o000 permission issue, LGTM.

Actually before the fix file_permissions_mode if file_permissions_mode is not None else settings.FILE_UPLOAD_PERMISSIONS, the PR breaks file_upload test. Now it works again.

comment:11 Changed 21 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In 9eecb9169566db263e243e4522b08ea1403ee95f:

Fixed #21219 -- Added a way to set different permission for static files.

Previously, when collecting static files, the files would receive permission
from FILE_UPLOAD_PERMISSIONS. Now, there's an option to give different
permission from uploaded files permission by subclassing any of the static
files storage classes and setting the file_permissions_mode parameter.

Thanks dblack at atlassian.com for the suggestion.

Note: See TracTickets for help on using tickets.
Back to Top