Context Navigation

← Previous Ticket
Next Ticket →

#28540 closed Cleanup/optimization (fixed)

Document changes to file upload permissions in Django 1.11

Reported by:	Yaroslav Demidenko	Owned by:	nobody
Component:	Documentation	Version:	1.11
Severity:	Normal	Keywords:	ImageField, save, permissions
Cc:	Simen Heggestøyl, Keryn Knight	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Tim Graham)

This bug find in prod server (nginx, supervisor + gunicorn)

I have models: MainModel() and

SubModel(models.Model):
    main_id = FK(MainModel)
    im1 = ImageField()
    im2 = ImageField()
    im3 = ImageField()

When I fill SubModel object in admin (as InlineAdmin) and click save button, all images are saved, but permissions == 0600.
If I fill any two imgs (or one), all is well.
Django 1.10.5 - this bug not found.

Sorry for my English.

Change History (18)

comment:1 by Tim Graham, 7 years ago

Description:	modified (diff)

Have you set settings.FILE_UPLOAD_PERMISSIONS? Can you reproduce the problem in a non-production environment? It's unclear if someone could reproduce the problem based on the little information you provided. Can you provide a minimal sample project that reproduces the issue? Can you bisect the regression to determine where the behavior changed?

comment:2 by Tim Graham, 7 years ago

Resolution:	→ needsinfo
Status:	new → closed

comment:3 by Xavier Ordoquy, 7 years ago

Been hitting the same issue although it's somewhat inconsistent. Some context:

Only have one FileField on the model.
So far, it's been happening and reproduced on production with only one file (24 uploaded files)

We'll set FILE_UPLOAD_PERMISSIONS and see if that fixes the issue.

Meanwhile, here's the raw unedited model. I don't think it has anything fancy and no signal:

@python_2_unicode_compatible
class Livret(models.Model):
    bDisplay = models.BooleanField("Utilisé ce semestre", default=True)
    nom = models.CharField(_("Nom"), max_length=255, blank=False, null=False)
    file = models.FileField(_("Fichier"), upload_to="PDF")
    infos = models.TextField(blank=True, null=True)
    tags = TaggableManager(blank=True)
    events = models.ManyToManyField(Event, related_name='livrets', verbose_name=("Events"), blank=True)

    def __str__(self):
        return self.nom

comment:4 by Simen Heggestøyl, 7 years ago

Cc:	Simen Heggestøyl added
Resolution:	needsinfo
Status:	closed → new

We've hit the same issue, and I've identified f734e2d4b2fc4391a4d097b80357724815c1d414 as the offending commit.

The issue seems to be that when FILE_UPLOAD_PERMISSIONS is None, the default system permissions are used. This worked fine for us, because our system default is 644, which is what we wanted. After f734e2d4b2fc4391a4d097b80357724815c1d414 however, when the uploaded file is sufficiently large, the system's permissions for temporary files is used instead (which was 600 in our case).

Setting FILE_UPLOAD_PERMISSIONS explicitly fixes the issue, but I think this behavioral change should be mentioned in the release notes.

comment:5 by Simon Charette, 7 years ago

Triage Stage:	Unreviewed → Accepted

comment:6 by Tim Graham, 7 years ago

Component:	File uploads/storage → Documentation
Summary:	When you save three or more ImageField in admin file perm = 0o600 → Document changes to file upload permissions in Django 1.11
Type:	Bug → Cleanup/optimization

The behavior might also be mentioned somewhere in the file upload documentation.

comment:7 by René Fleschenberg, 7 years ago

Are you sure that we should consider this a documentation bug? I think it doesn't make sense to use different permissions depending on the file size.

I know I am late to the party, but just in case it is of any use, I set up a minimal project that demonstrates the issue: https://github.com/rfleschenberg/django-file-upload-bug

comment:8 by Tim Graham, 7 years ago

No, I'm not sure. I don't think I investigated the issue in detail.

comment:9 by Keryn Knight, 7 years ago

Cc:	Keryn Knight added

comment:10 by Claude Paroz, 6 years ago

Has patch:	set

See this PR as a possible approach.

comment:11 by Tim Graham, 6 years ago

As I mentioned in the PR discussion, the new behavior seems consistent with the original documentation added with the introduction of the FILE_UPLOAD_PERMISSIONS setting:

On most platforms, temporary files will have a mode of 0600, and files saved from memory will be saved using thesystem's standard umask.

By default, MemoryFileUploadHandler is used for files up to settings.FILE_UPLOAD_MAX_MEMORY_SIZE, otherwise TemporaryFileUploadHandler is used.

If we decide not to make a change (probably the discussion should move to django-developers), then we could at least add a note to the deployment checklist. Carlton proposed adding a system check that warns if the FILE_UPLOAD_PERMISSIONS setting isn't set but that feels a bit heavy handed as none of the open source Django projects I checked have specified this setting so presumably it isn't a common issue.

comment:12 by Tim Graham, 6 years ago

Triage Stage:	Accepted → Ready for checkin

The django-developers discussion about changing the upload behavior hasn't received any replies. I'll proceed with the documentation patches, and we can open a new ticket if there's a later consensus to make a code change.