id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
37044	Mention in FileField-.upload_to-Documentation that file locations on authenticated models are not automatically authenticated.	Aaron	MANAS MADESHIYA	"Its common practice to add authentification to a model such that it can be 
accessed by a subset of users. Developers might assume that the authentification of the model covers authentification 
of the ""upload_to""-Field, but is does not. Therefore, any authenticated user
who guesses any url is able to acccess the underlying file, somewhat circumventing the authentification.
Furthermore, these urls share common patterns which might expose a lot more files. 

Suggestion:


Add a warning to the documentation of ""upload_to"" along the lines of:

""""upload_to"" does not inherit authentification from a model. This has to be done externally"".

""Authentification of the model does not include authentification of ""upload_to"". Any authenticated user
might guess the urls and can access the underlying files"". 

""Make sure to authenticate access to the url stored in ""upload_to"" as these are not covered by the model authentification. ""

Looking forward to discussing this,
Aaron 
"	Cleanup/optimization	assigned	Documentation	6.0	Normal			MANAS MADESHIYA	Accepted	0	0	0	0	0	0