Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#28540 closed Cleanup/optimization (fixed)

Document changes to file upload permissions in Django 1.11

Reported by: Yaroslav Demidenko Owned by: nobody
Component: Documentation Version: 1.11
Severity: Normal Keywords: ImageField, save, permissions
Cc: Simen Heggestøyl, Keryn Knight Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Tim Graham)

This bug find in prod server (nginx, supervisor + gunicorn)

I have models: MainModel() and

SubModel(models.Model):
    main_id = FK(MainModel)
    im1 = ImageField()
    im2 = ImageField()
    im3 = ImageField()

When I fill SubModel object in admin (as InlineAdmin) and click save button, all images are saved, but permissions == 0600.
If I fill any two imgs (or one), all is well.
Django 1.10.5 - this bug not found.

Sorry for my English.

Change History (18)

comment:1 by Tim Graham, 7 years ago

Description: modified (diff)

Have you set settings.FILE_UPLOAD_PERMISSIONS? Can you reproduce the problem in a non-production environment? It's unclear if someone could reproduce the problem based on the little information you provided. Can you provide a minimal sample project that reproduces the issue? Can you bisect the regression to determine where the behavior changed?

comment:2 by Tim Graham, 7 years ago

Resolution: needsinfo
Status: newclosed

comment:3 by Xavier Ordoquy, 7 years ago

Been hitting the same issue although it's somewhat inconsistent. Some context:

  • Only have one FileField on the model.
  • So far, it's been happening and reproduced on production with only one file (24 uploaded files)

We'll set FILE_UPLOAD_PERMISSIONS and see if that fixes the issue.

Meanwhile, here's the raw unedited model. I don't think it has anything fancy and no signal:

@python_2_unicode_compatible
class Livret(models.Model):
    bDisplay = models.BooleanField("Utilisé ce semestre", default=True)
    nom = models.CharField(_("Nom"), max_length=255, blank=False, null=False)
    file = models.FileField(_("Fichier"), upload_to="PDF")
    infos = models.TextField(blank=True, null=True)
    tags = TaggableManager(blank=True)
    events = models.ManyToManyField(Event, related_name='livrets', verbose_name=("Events"), blank=True)

    def __str__(self):
        return self.nom

comment:4 by Simen Heggestøyl, 7 years ago

Cc: Simen Heggestøyl added
Resolution: needsinfo
Status: closednew

We've hit the same issue, and I've identified f734e2d4b2fc4391a4d097b80357724815c1d414 as the offending commit.

The issue seems to be that when FILE_UPLOAD_PERMISSIONS is None, the default system permissions are used. This worked fine for us, because our system default is 644, which is what we wanted. After f734e2d4b2fc4391a4d097b80357724815c1d414 however, when the uploaded file is sufficiently large, the system's permissions for temporary files is used instead (which was 600 in our case).

Setting FILE_UPLOAD_PERMISSIONS explicitly fixes the issue, but I think this behavioral change should be mentioned in the release notes.

comment:5 by Simon Charette, 7 years ago

Triage Stage: UnreviewedAccepted

comment:6 by Tim Graham, 7 years ago

Component: File uploads/storageDocumentation
Summary: When you save three or more ImageField in admin file perm = 0o600Document changes to file upload permissions in Django 1.11
Type: BugCleanup/optimization

The behavior might also be mentioned somewhere in the file upload documentation.

comment:7 by René Fleschenberg, 7 years ago

Are you sure that we should consider this a documentation bug? I think it doesn't make sense to use different permissions depending on the file size.

I know I am late to the party, but just in case it is of any use, I set up a minimal project that demonstrates the issue: https://github.com/rfleschenberg/django-file-upload-bug

comment:8 by Tim Graham, 7 years ago

No, I'm not sure. I don't think I investigated the issue in detail.

comment:9 by Keryn Knight, 7 years ago

Cc: Keryn Knight added

comment:10 by Claude Paroz, 6 years ago

Has patch: set

See this PR as a possible approach.

comment:11 by Tim Graham, 6 years ago

As I mentioned in the PR discussion, the new behavior seems consistent with the original documentation added with the introduction of the FILE_UPLOAD_PERMISSIONS setting:

On most platforms, temporary files will have a mode of 0600, and files saved from memory will be saved using thesystem's standard umask.

By default, MemoryFileUploadHandler is used for files up to settings.FILE_UPLOAD_MAX_MEMORY_SIZE, otherwise TemporaryFileUploadHandler is used.

If we decide not to make a change (probably the discussion should move to django-developers), then we could at least add a note to the deployment checklist. Carlton proposed adding a system check that warns if the FILE_UPLOAD_PERMISSIONS setting isn't set but that feels a bit heavy handed as none of the open source Django projects I checked have specified this setting so presumably it isn't a common issue.

comment:12 by Tim Graham, 6 years ago

Triage Stage: AcceptedReady for checkin

The django-developers discussion about changing the upload behavior hasn't received any replies. I'll proceed with the documentation patches, and we can open a new ticket if there's a later consensus to make a code change.

comment:13 by Tim Graham <timograham@…>, 6 years ago

In ef70af77:

Refs #28540 -- Added FILE_UPLOAD_PERMISSIONS to deployment checklist.

comment:14 by Tim Graham <timograham@…>, 6 years ago

Resolution: fixed
Status: newclosed

In 89d4d412:

Fixed #28540 -- Doc'd a change to file upload permissions in Django 1.11.

Behavior changed in f734e2d4b2fc4391a4d097b80357724815c1d414
(refs #27334).

comment:15 by Tim Graham <timograham@…>, 6 years ago

In 1e8c68f:

[2.1.x] Refs #28540 -- Added FILE_UPLOAD_PERMISSIONS to deployment checklist.

Backport of ef70af77ec53160d5ffa060c1bdf5ed93322d84f from master

comment:16 by Tim Graham <timograham@…>, 6 years ago

In 37c0a336:

[2.1.x] Fixed #28540 -- Doc'd a change to file upload permissions in Django 1.11.

Behavior changed in f734e2d4b2fc4391a4d097b80357724815c1d414
(refs #27334).

Backport of 89d4d412404d31ef34ae3170c0c056eff55b2a17 from master

comment:17 by Tim Graham <timograham@…>, 6 years ago

In b113c6ad:

[2.0.x] Fixed #28540 -- Doc'd a change to file upload permissions in Django 1.11.

Behavior changed in f734e2d4b2fc4391a4d097b80357724815c1d414
(refs #27334).

Backport of 89d4d412404d31ef34ae3170c0c056eff55b2a17 from master

comment:18 by Tim Graham <timograham@…>, 6 years ago

In ceae3069:

[1.11.x] Fixed #28540 -- Doc'd a change to file upload permissions in Django 1.11.

Behavior changed in f734e2d4b2fc4391a4d097b80357724815c1d414
(refs #27334).

Backport of 89d4d412404d31ef34ae3170c0c056eff55b2a17 from master

Note: See TracTickets for help on using tickets.
Back to Top