我有一个图像模型,它具有来自django用户的用户字段外键
class Image(models.Model):
image = models.ImageField()
user = models.ForeignKey(User)
#more specific model fields
我希望仅向登录和上传媒体的用户提供媒体文件。所以我使用以下视图在apache中使用了X-SendFile头
@owns_media
def media_xsendfile(request, path):
print "inside media_xsendfile view"
print os.path.join(settings.MEDIA_ROOT,path)
response = HttpResponse()
response['Content-Type']=''
response['X-Sendfile']= smart_str(os.path.join(settings.MEDIA_ROOT, path))
return response
owns_media是一个装饰器,用于检查登录的用户是否已上传图片并允许视图运行或引发PermissionDenied异常。这是装饰者
def owns_media(view):
"""Decorator to check if users has permission to access media"""
def wrapper(request, *args, **kw):
path = kw['path']
user = request.user
image = Image.objects.get(image=path)
image_user = image.user
if user==image_user:
return view(request, *args, **kw)
else:
raise PermissionDenied
return wrapper
但它不会奏效。我登录到用户获得了图片,然后退出并尝试访问它,它确实服务于图片,而它不应该。我做错了吗?