Opened 11 years ago
Closed 11 years ago
#21219 closed New feature (fixed)
The FILE_UPLOAD_PERMISSIONS should not be used when deploying static files
Reported by: | Owned by: | Vajrasky Kok | |
---|---|---|---|
Component: | contrib.staticfiles | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The FILE_UPLOAD_PERMISSIONS permission is used in the django.contrib.staticfiles.storage.staticfiles_storage backend *and* it really shouldn't be. The use of the FILE_UPLOAD_PERMISSIONS permission to govern the deployed permission of static files is not documented so it should be possible to make a new STATIC_FILE_PERMISSIONS setting which is used instead of FILE_UPLOAD_PERMISSIONS during collectstatic :-)
Attachments (1)
Change History (12)
comment:1 by , 11 years ago
Component: | File uploads/storage → contrib.staticfiles |
---|---|
Triage Stage: | Unreviewed → Accepted |
by , 11 years ago
Attachment: | add_static_file_permission.diff added |
---|
comment:2 by , 11 years ago
Has patch: | set |
---|---|
Type: | Cleanup/optimization → New feature |
@vajrasky - any chance you can make a pull request on github so we can more easily comment on the patch?
Also don't forget to tick "Has patch" so the ticket shows up for review.
comment:3 by , 11 years ago
$ git push origin ticket_21219
error: The requested URL returned error: 403 Forbidden while accessing https://vajrasky@github.com/django/django.git/info/refs?service=git-receive-pack
fatal: HTTP request failed
@timo, I am working on it. Probably it takes longer time since I need to learn how to solve this problem.
comment:4 by , 11 years ago
Apparently I did not fork the django repo first from my github account. Now I managed to make a pull request! https://github.com/django/django/pull/1747
comment:5 by , 11 years ago
Rather than adding a setting for this (we are trying to avoid settings), should we instead suggest subclassing the STATICFILES_STORAGE
class and overriding the new permissions_mode
attribute this patch offers?
comment:6 by , 11 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Let me get this straight.
So FileSystemStorage has self.file_permissions_mode and self.directory_permissions_mode. Their values come from settings.FILE_UPLOAD_PERMISSIONS and settings.FILE_UPLOAD_DIRECTORY_PERMISSIONS.
For StaticFilesStorage, the situation is same. But if you dislike the permissions, all you have to do is...
class CustomStaticFilesStorage(StaticFilesStorage): def __init__(self, location=None, base_url=None, *args, **kwargs): self.file_permissions_mode = 0o644 self.directory_permissions_mode = 0o600 super(CustomStaticFilesStorage, self).__init__(location, base_url, *args, **kwargs) settings.STATICFILES_STORAGE = CustomStaticFilesStorage()
Is that what is in your mind?
comment:7 by , 11 years ago
Correct, although I would expect the subclass to simply look like this:
class CustomStaticFilesStorage(StaticFilesStorage): file_permissions_mode = 0o644 directory_permissions_mode = 0o600
comment:8 by , 11 years ago
This is the new pull request. https://github.com/django/django/pull/1779
Some notes:
- There is no way to set permission to the directories of static files either with FILE_UPLOAD_PERMISSIONS and FILE_DIRECTORY_UPLOAD_PERMISSIONS. Therefore I can not override the directories permission by subclassing StaticFilesStorage without a lot of works. I prefer to create a separate ticket for this bug. One step at at time.
- At first, I want to add file_permissions_mode class attribute in Storage or FileSystemStorage class and give the default value of FILE_UPLOAD_PERMISSIONS to this class attribute. However some tests depend on the behaviour of FileSystemStorage checking the value of FILE_UPLOAD_PERMISSIONS at the *last minute* before setting the permissions to uploaded files. So from engineering perspective, this behaviour is a little bit inconsistent with the StaticFilesStorage. But there is nothing I can do.
comment:9 by , 11 years ago
Actually in receiving some feedback on another ticket, I think it would be better to use an instance attribute. I've sent an updated pull request. Please take a look and let me know if it looks good.
comment:10 by , 11 years ago
Aside from 0o000 permission issue, LGTM.
Actually before the fix file_permissions_mode if file_permissions_mode is not None else settings.FILE_UPLOAD_PERMISSIONS
, the PR breaks file_upload test. Now it works again.
comment:11 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Added STATIC_FILE_PERMISSIONS to collectstatic and tested it and documented it!