search

barseghyanartur / django-fobi

Form generator/builder application for Django done right: customisable, modular, user- and developer- friendly.
https://pypi.python.org/pypi/django-fobi
485 stars 112 forks source link

securing file uploads #279

Closed matacino closed 1 year ago

matacino commented 1 year ago

Hi,

I have a fobi-form where people upload personal documents. The formular handler only has a Mail-Handler so actually nothing needs to be saved on the server. I am experiencing the case that all the uploaded documents are accessible via the internet under the django folder for the uploaded media (eg.: "/media/fobi_plugins/file/")

Is there a configurable way to disable the saving of the uploaded files without interfering with other django apps or at least hide them?

  1. I tried "FILE_UPLOAD_TEMP_DIR" in settings.py witch seams not to be used in fobi.
  2. FOBI_PLUGIN_FIELDS_FILE_FILES_UPLOAD_DIR value to the desired (relative) path is only relative to "/media"

Do I miss an option?

Thnx in advance

matacino

matacino commented 1 year ago

hmm. Do I have to develop a separate file-upload element?

barseghyanartur commented 1 year ago

Look, there are multiple ways of doing this. It's not really a fobi specific thing. It's standard Django - media directory is served statically. You do need to know the exact file path in order to get the file, but there are ways to secure the uploads. For instance, you could store them on S3 bucket and only make accessible from within your web site. You can also protect your media directory (do not serve it statically, but rather stream uploads via your web site. For that you might need to extend existing or create a new form handler component. Further, use your imagination. :)