Hello,
I have a static file that I don't want to be publicly available. Is there a way to limit access with app.yaml so that it can only be loaded by its own domain?
web2py based solutions are also welcomed as I'm using it on top of GAE.
Thanks!
+2
A:
You can limit access to it with 'login: required' to require login with a Google account, or 'login: admin' to restrict it to admins only. If you're only concerned about abuse, you probably want to look into the DOS API instead.
Nick Johnson
2010-09-13 10:24:59
Oh, does this work with static files too?
Jason Hall
2010-09-19 16:43:16
Yes, it does. ///
Nick Johnson
2010-09-19 23:41:20
Thanks Nick. As for restricting static files with login:required or login:admin, is it then possible to pass in login credentials with urllib.urlopen or something of that sort in order to download the data at runtime?
Dane
2010-09-20 04:40:09
It's possible, yes - check out appengine_rpc.py in the SDK source for an example of how to make authenticated calls to App Engine.
Nick Johnson
2010-09-20 07:53:45
+1
A:
I assume you want to use web2py authentication for this. You have to follow a few simple rules. 1) files in app/static are public files. 2) files that you want to subject to authentication go in app/private. Then create you own web2py action to server the content of private/
@auth.requires()
def private():
import os
file = os.path.join(request.folder, 'private', request.args(0))
return response.stream(open(file,'rb'))
If you want to use the role based access control you need to store the filename in a database table and auth.add_permission to the group to the record.
You get faster responses and more competent responses if you ask questions to the web2py mailing list.
mdipierro
2010-09-17 17:31:17
I'm pretty sure this won't work with App Engine, since files aren't hosted in a real filesystem.
Jason Hall
2010-09-19 16:44:06
It depends. I answered under the assumptions files were provided at development time. In that case it will work on GAE. If we are talking about files uploaded into the app, the web2py solution is easy. Make a table with Field('file','upload',authorize=lambda row: row.author==auth.user_id) and Field('author',db.auth_user,default=auth.user_id) and use form=crud.create(db.thetable) to upload images into the table (subject to the GAE file size limits) This is discussed extensively in chapter 3 of the book and all the examples in there work out of the box in GAE.
mdipierro
2010-09-19 21:02:01
Thanks for the replies Mossimo. I posted here instead of the mailing list because I was hoping for a quick app.yaml solution, but now I've decided to take a completely different approach to my task that doesn't involve using the file on GAE. I'll keep your solution in mind for the future.
Dane
2010-09-20 04:37:05