{
    "info": {
        "author": "Erik Romijn",
        "author_email": "eromijn@solidlinks.nl",
        "bugtrack_url": null,
        "classifiers": [
            "Development Status :: 4 - Beta",
            "Framework :: Django",
            "Intended Audience :: Developers",
            "License :: OSI Approved :: BSD License",
            "Natural Language :: English",
            "Programming Language :: Python :: 2",
            "Programming Language :: Python :: 2.6",
            "Programming Language :: Python :: 2.7",
            "Programming Language :: Python :: 3",
            "Programming Language :: Python :: 3.3"
        ],
        "description": "=============================\r\ndjango-random-filestorage\r\n=============================\r\n\r\n\r\n.. image:: https://badge.fury.io/py/django-random-filestorage.png\r\n    :target: https://badge.fury.io/py/django-random-filestorage\r\n\r\n.. image:: https://travis-ci.org/erikr/django-random-filestorage.png?branch=master\r\n    :target: https://travis-ci.org/erikr/django-random-filestorage\r\n\r\n.. image:: https://coveralls.io/repos/erikr/django-random-filestorage/badge.png?branch=master\r\n    :target: https://coveralls.io/r/erikr/django-random-filestorage?branch=master\r\n\r\nDjango-random-filestorage is a Django storage class that assigns random filenames to all stored files.\r\n\r\nIf a user uploads a file named `foo.txt`, it\r\nwill be stored as `<60 random characters>.txt`. In cases where you refer users to uploaded files or images directly,\r\nthis will prevent them from finding other files, which they may not be authorised to see, by guessing the original\r\nnames used by your users.\r\n\r\nDocumentation\r\n-------------\r\n\r\nThe full documentation is at https://django-random-filestorage.readthedocs.org.\r\n\r\nSecurity warning\r\n================\r\n.. warning ::\r\n    Never use django-random-filestorage for cases where the uploaded files may contain links,\r\n    such as PDF files. In that case, the secrecy of your URLs can be compromised by being\r\n    leaked through the referer header, as Dropbox discovered in May:\r\n    https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/\r\n\r\nQuickstart\r\n----------\r\n\r\nInstall django-random-filestorage::\r\n\r\n    pip install django-random-filestorage\r\n\r\nThen use it in your entire Django project::\r\n\r\n    DEFAULT_FILE_STORAGE=\"randomfilestorage.storage.RandomFileSystemStorage\"\r\n\r\nOr, set it on a specific field::\r\n\r\n    from randomfilestorage.storage import RandomFileSystemStorage\r\n\r\n    random_storage = RandomFileSystemStorage(location='/media/my_files')\r\n    class Example(models.Model):\r\n        my_file = FileField(storage=random_storage)\r\n\r\n\r\nWhy would you want to do this?\r\n------------------------------\r\n\r\nLet's say you have an app that manages all ice cream recipes you sell in your shop. Some of your recipes contain secret\r\ningredients, and are therefore only available to a small set of trusted users. We'll look at two icecreams: strawberry,\r\nwhich has a fairly standard and non-secret recipe, and jellyfish, which is very secret.\r\n\r\nThe recipes are stored in PDFs, which are uploaded into a Django app that uses a FileField. As Django suggests,\r\nthe media directory is directly accessible through nginx or some other simple web server. So a user which is authorised\r\nto see the strawberry recipe, will be sent to a PDF like ``http://example.com/media/recipes/strawberry.pdf``. They\r\nwill not see jellyfish in their list of recipes, as it's too secret.\r\n\r\nHowever, given that the user knows that you sell jellyfish too, they can simply find that recipe on\r\n``http://example.com/media/recipes/jellyfish.pdf``! There are many cases where names of documents, with differing access\r\nlevels, are in some way predictable. Dates are another predictable example. And filenames in FileFields are derived\r\nfrom the original filename the user chose.\r\n\r\nBy making these filenames random, the person who can access\r\n``http://example.com/media/recipes/ZXcAoL4wmhisYlBvHLoyt3fwfMXsMiVvgQTQOb40zOQIdag7KbEU5sy9b6GW.pdf``\r\nwill not be able to guess that the jellyfish recipe is available on\r\n``http://example.com/media/recipes/qPRCEVAJd1RQvkd9OTTeY4hruW0Jvy5Qq0YIVtWPrwGWMgmUogYO8aPVRCxC.pdf``.\r\n\r\nWhat issues are not resolved?\r\n-----------------------------\r\nOnce a user knows the random string that was used to name the file, they could provide the link to others. Then again,\r\nthey could just as well download the file and provide it to others in some other way.\r\n\r\nIf you would like stricter control over who accesses certain files, you'll have to prevent direct access to (part of)\r\nthe media directory. You can serve those files through a Django view instead, but this comes at an additional\r\nperformance cost. A more performant but more complex alternative is to use Apache sendfile_ or nginx X-accel_.\r\n\r\n.. _sendfile: https://tn123.org/mod_xsendfile/\r\n.. _X-accel: http://wiki.nginx.org/X-accel",
        "description_content_type": null,
        "docs_url": null,
        "download_url": "",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://github.com/erikr/django-random-filestorage",
        "keywords": "django-random-filestorage",
        "license": "BSD",
        "maintainer": "",
        "maintainer_email": "",
        "name": "django-random-filestorage",
        "package_url": "https://pypi.org/project/django-random-filestorage/",
        "platform": "UNKNOWN",
        "project_url": "https://pypi.org/project/django-random-filestorage/",
        "project_urls": {
            "Homepage": "https://github.com/erikr/django-random-filestorage"
        },
        "release_url": "https://pypi.org/project/django-random-filestorage/0.1.0/",
        "requires_dist": null,
        "requires_python": null,
        "summary": "Django storage class that assigns random filenames to all stored files.",
        "version": "0.1.0"
    },
    "last_serial": 3615251,
    "releases": {
        "0.1.0": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "82f32ffc0a8fa3268ce5fbdc47149502",
                    "sha256": "9e0412dd3a9b23fa4b66812e3d17ea6ceebaf7838c5fb116cdcc746567ecf189"
                },
                "downloads": -1,
                "filename": "django-random-filestorage-0.1.0.tar.gz",
                "has_sig": false,
                "md5_digest": "82f32ffc0a8fa3268ce5fbdc47149502",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 5894,
                "upload_time": "2014-02-23T14:14:44",
                "url": "https://files.pythonhosted.org/packages/c2/e4/69e878e60e507103c31516c5504e63f20ef7f4eee9d8db366c56ba82ded8/django-random-filestorage-0.1.0.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "82f32ffc0a8fa3268ce5fbdc47149502",
                "sha256": "9e0412dd3a9b23fa4b66812e3d17ea6ceebaf7838c5fb116cdcc746567ecf189"
            },
            "downloads": -1,
            "filename": "django-random-filestorage-0.1.0.tar.gz",
            "has_sig": false,
            "md5_digest": "82f32ffc0a8fa3268ce5fbdc47149502",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 5894,
            "upload_time": "2014-02-23T14:14:44",
            "url": "https://files.pythonhosted.org/packages/c2/e4/69e878e60e507103c31516c5504e63f20ef7f4eee9d8db366c56ba82ded8/django-random-filestorage-0.1.0.tar.gz"
        }
    ]
}