Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Howto avoid traceback in case of PermissionDenied in custom can_access_file? #68

Open
tombreit opened this issue Jun 9, 2021 · 1 comment

Comments

@tombreit
Copy link

tombreit commented Jun 9, 2021

Dear all,

given the following PrivateStorageDetailView

# views.py

class AttachmentDownloadView(PrivateStorageDetailView):
    model = ImageAttachment
    model_file_field = 'file'

    def get_object(self):
        # see: https://github.com/edoburu/django-private-storage/issues/50
        return get_object_or_404(self.model, file=self.kwargs['path'])

    def can_access_file(self, private_file):        
        return private_file.request.user.is_authenticated

I always get a Traceback for a Forbidden (Permission denied) request:

Forbidden (Permission denied): /media/attachments/27b5c847-4027-4de9-b26e-98ac028490e8.png
Traceback (most recent call last):
  File ".venv/lib/python3.9/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File ".venv/lib/python3.9/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File ".venv/lib/python3.9/site-packages/django/views/generic/base.py", line 70, in view
    return self.dispatch(request, *args, **kwargs)
  File ".venv/lib/python3.9/site-packages/django/views/generic/base.py", line 98, in dispatch
    return handler(request, *args, **kwargs)
  File ".venv/lib/python3.9/site-packages/private_storage/views.py", line 158, in get
    return super(PrivateStorageDetailView, self).get(request, *args, **kwargs)
  File ".venv/lib/python3.9/site-packages/private_storage/views.py", line 73, in get
    raise PermissionDenied(self.permission_denied_message)
django.core.exceptions.PermissionDenied: Private storage access denied
[09/Jun/2021 11:27:28] "GET /media/attachments/27b5c847-4027-4de9-b26e-98ac028490e8.png HTTP/1.1" 403 135

How can I handle this exception gracefully (I do not want this uncaught ServerError)?

@acaduck
Copy link

acaduck commented Oct 17, 2022

you can avoid this by rewrite the get() method of the PrivateStorageView base view:

# copied from source code:
class PrivateStorageView(View):
    def get(self, request, *args, **kwargs):
     
        if not self.can_access_file(private_file):
            raise PermissionDenied(self.permission_denied_message) # here is the cause

in your case, you can:

from django.http import HttpResponse

class AttachmentDownloadView(PrivateStorageDetailView):
    model = ImageAttachment
    model_file_field = 'file'

    def get_object(self):
        ...

    def can_access_file(self, private_file):        
        ...

  # add this
   def get(self, request, *args, **kwargs):
      if not self.can_access_file(private_file):
           return HttpResponse('unaothorized', status=401)

rather than raise an error, we returned a 401 response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants