#8454 closed (fixed)
uploaded file permissions vary based on handler
| Reported by: | Dan Watson | Owned by: | nobody |
|---|---|---|---|
| Component: | File uploads/storage | Version: | dev |
| Severity: | Keywords: | file upload permission mode | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
As mentioned a few times in #2070, uploaded files large enough to be streamed to a temporary file get created with a mode of 0600, as per python's tempfile.mkstemp. This causes two problems:
- Files uploaded into memory and saved to disk respect the umask, so uploads could have different permissions based on how big they are.
- If the webserver user and django user do not match (such as when running an external FastCGI process), the webserver can no longer serve uploaded files.
Attached is a patch that implements a FILE_UPLOAD_PERMISSIONS setting. Right now, it defaults to the current behavior (leaving the permissions alone).
Discussion (or lack thereof) here:
http://groups.google.com/group/django-developers/browse_frm/thread/e7d7ca62b9f6d331
The inconsistency seems like a bug to me, so marking as 1.0.
Attachments (1)
Change History (7)
by , 16 years ago
comment:1 by , 16 years ago
comment:2 by , 16 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:3 by , 16 years ago
comment:4 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
I like the approach taken in the proposed patch. But I think it should be made clear, both in the doc and in the constant's name (
FILE_UPLOAD_PERMISSIONS), that this only applies to the standard file system (FileSystemStorage).