9  

It seems to me that the method you outlined in your code should work. It's really no different than any other protected resource: your views can serve files from disks, records from databases, rendered templates or anything. Just as the login_required decorator prevents unauthorized access to other views, it will prevent such access to your view serving protected media.

在我看来，您在代码中概述的方法应该可以工作。它与任何其他受保护的资源都没有什么不同:您的视图可以从磁盘、数据库记录、呈现的模板或任何东西提供文件。正如login_required decorator阻止对其他视图的未经授权的访问一样，它也将阻止对服务于受保护媒体的视图的这种访问。

Am I missing something from your question here? Please clarify if that's the case.

我是不是漏掉了你的问题?请说明情况是否如此。

EDIT: With regard to the django doc link in your comment: that's the method for simply serving any request file from a particular directory. So, in that example URLS like /site_media/foo.jpg, /site_media/somefolder/bar.jpg will automatically look for files foo.jpg and somefolder/bar.jpg under document_root. Basically, every thing under document_root will be publicly available. That's obviously insecure. So you avoid that with your method.

编辑:关于您的注释中的django doc链接:这是一种简单地为来自特定目录的任何请求文件提供服务的方法。因此，在这个示例中，url如/site_media/foo.jpg、/site_media/somefolder/bar.jpg将自动查找文件foo.jpg和somefolder/bar.jpg文件。基本上，document_root下的所有内容都是公开可用的。这显然是不安全的。你可以用你的方法来避免。

It's also considered inefficient because django is just adding a lot of unnecessary overhead when all you need is something like Apache to take a URL request and map it to a file on the hard drive. (You don't need django sessions, request processing, etc.)

它也被认为是低效的，因为django只是增加了很多不必要的开销，因为您所需要的只是Apache之类的东西，以获取URL请求并将其映射到硬盘上的文件。(不需要django会话、请求处理等)

In your case, this may not be such a big concern. First, you've secured the view. Second, it depends on your usage patterns. How many requests do you anticipate for these files? You're only using django for authentication -- does that justify other overhead? If not, you can look into serving those files with Apache and using an authentication provider. For more on this, see the mod_wsgi documentation:

在你的情况下，这可能不是一个大问题。首先，您已经保护了视图。其次，这取决于您的使用模式。您期望这些文件有多少请求?您只使用django进行身份验证——这是否证明了其他开销?如果没有，您可以考虑使用Apache和身份验证提供者为这些文件提供服务。有关这方面的更多信息，请参阅mod_wsgi文档:

• http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
  • see the section "Apache Authentication Provider" and search for django
  • 请参阅“Apache身份验证提供者”一节并搜索django
• http://code.google.com/p/modwsgi/wiki/accesscontrolmechanism查看“Apache身份验证提供者”一节并搜索django

There are similar mechanisms available under mod_python I believe. (Update: just noticed the other answer. Please see Andre's answer for the mod_python method.)

我相信在mod_python下也有类似的机制。更新:注意到另一个答案。请参见Andre对mod_python方法的回答。

EDIT 2: With regard to the code for serving a file, please see this snippet:

编辑2:关于文件服务的代码，请参见下面的代码片段:

• http://www.djangosnippets.org/snippets/365/
• http://www.djangosnippets.org/snippets/365/

The send_file method uses a FileWrapper which is good for sending large static files back (it doesn't read the entire file into memory). You would need to change the content_type depending on the type of file you're sending (pdf, jpg, etc).

send_file方法使用FileWrapper来将大型静态文件传回(它不把整个文件读入内存)。您需要根据所发送的文件类型(pdf、jpg等)更改content_type。

4  

Read this Django ticket for more info. Start at the bottom to save yourself some time. Looks like it just missed getting into Django 1.2, and I assume also isn't in 1.3.

更多信息请阅读这张Django票。从底部开始，为自己节省一些时间。看起来它只是错过了《被解救的姜戈》1.2版，我想它也不是1.3版。

For Nginx, I found this Django snippet that takes advantage of the X-Accel-Redirect header, but haven't tried it yet.

对于Nginx，我找到了这个利用X-Accel-Redirect头的Django片段，但还没有尝试过。

3  

More efficient serving of static files through Django is being looked at currently as part of Google SOC project. For WSGI this will use wsgi.file_wrapper extensions for WSGI if available, as it is for mod_wsgi, and req.sendfile() if using mod_python. It will also support returning of headers such as 'Location', 'X-Accel-Redirect' and others, which different web hosting mechanisms and proxy front ends accept as a means of serving up static files where location is defined by a backend web application, which isn't as effecient as front end for serving static files.

通过Django提供更高效的静态文件服务是谷歌SOC项目的一部分。对于WSGI，这将使用WSGI。如果有WSGI的file_wrapper扩展名(如mod_wsgi的扩展名)和req.sendfile()(如果使用mod_python的话)。还将支持返回标题如“位置”、“X-Accel-Redirect”和其他不同的web托管机制和代理前端接受作为一种手段提供静态文件的位置被定义为一个后端web应用程序,这不是effecient前端提供静态文件。

I am not sure if there is a project page for this in Django wiki somewhere or not, but the code changes are being committed into the branches/soc2009/http-wsgi-improvements branch of Django source code repository.

我不确定Django wiki中是否有这个项目页面，但是代码更改被提交到Django源代码存储库的分支/soc2009/http-wsgi-improvement分支中。

You needn't strictly wait for that stuff. It is just putting a clean and portable interface in place across the different mechanisms. If using nginx as front end in front of Apache/mod_wsgi, you could use X-Accel-Redirect now. If using Apache/mod_wsgi 3.0 and daemon mode, you could use Location now, but do need to ensure you set up Apache correct. Alternatively, you could implement your own WSGI middleware wrapper around the Django application which looks for some response header of your own to indicate file to be returned and which uses wsgi.file_wrapper to return that instead of actual response returned from Django.

你不必非要等到那件事。它只是在不同的机制之间放置一个干净的、可移植的接口。如果在Apache/ modws_gi前面使用nginx作为前端，那么现在可以使用X-Accel-Redirect。如果使用Apache/mod_wsgi 3.0和守护进程模式，您现在可以使用Location，但是需要确保您设置的Apache是正确的。或者，您可以围绕Django应用程序实现您自己的WSGI中间件包装器，该应用程序寻找您自己的响应头来指示要返回的文件和使用WSGI的文件。file_wrapper返回那个而不是Django返回的实际响应。

BTW, the authentication hook mechanisms listed for both mod_python and mod_wsgi by others would use HTTP basic authentication, which isn't what you wanted. This is presuming you want files to be protected by Django form based login mechanism using cookies and backend sessions.

顺便说一句，其他人为mod_python和mod_wsgi列出的身份验证挂钩机制将使用HTTP基本身份验证，这不是您想要的。这假定您希望使用cookie和后端会话来保护基于Django表单的登录机制的文件。

1  

If I understand your question correctly you want to restrict access to files that are not being served by Django, for example, with an Apache server?

如果我正确理解了您的问题，您希望限制对Django没有提供的文件的访问，例如，使用Apache服务器?

What you would then require is some way for this Apache server to use Django as an authentication source.

然后您需要的是这个Apache服务器使用Django作为身份验证源的某种方式。

This django snippet describes such a method. It creates an access handler in Django which is used by Apache when a request for a static file comes in that needs to be protected:

这个django代码片段描述了这样一个方法。它在Django中创建了一个访问处理程序，Apache在需要保护的静态文件请求进入时使用该处理程序:

<Location "/protected/location">
            PythonPath "['/path/to/proj/'] + sys.path"  
            PythonOption DJANGO_SETTINGS_MODULE myproj.settings
        PythonOption DjangoPermissionName '<permission.codename>'
        PythonAccessHandler my_proj.modpython #this should point to accesshandler
            SetHandler None
</Location>

Hope this helps, the snippet was posted a while ago, so things might have changed between Django versions :)

希望这能有所帮助，这段代码是不久前发布的，所以在Django版本之间可能发生了变化:)