Limiting access to a static file with GAE

Asked 11/9, 2010 at 21:54 Answered 17/9, 2010 at 17:31

I have a static file that I don't want to be publicly available. Is there a way to limit access with app.yaml so that it can only be loaded by its own domain?

web2py based solutions are also welcomed as I'm using it on top of GAE.

Thanks!

Drill answered 11/9, 2010 at 21:54 Comment(0)

You can limit access to it with 'login: required' to require login with a Google account, or 'login: admin' to restrict it to admins only. If you're only concerned about abuse, you probably want to look into the DOS API instead.

Tenorio answered 13/9, 2010 at 10:24 Comment(2)

Thanks Nick. As for restricting static files with login:required or login:admin, is it then possible to pass in login credentials with urllib.urlopen or something of that sort in order to download the data at runtime? – Drill 20/9, 2010 at 4:40

It's possible, yes - check out appengine_rpc.py in the SDK source for an example of how to make authenticated calls to App Engine. – Tenorio 20/9, 2010 at 7:53

I assume you want to use web2py authentication for this. You have to follow a few simple rules. 1) files in app/static are public files. 2) files that you want to subject to authentication go in app/private. Then create you own web2py action to server the content of private/

@auth.requires()
def private():
    import os
    file = os.path.join(request.folder, 'private', request.args(0))
    return response.stream(open(file,'rb'))

If you want to use the role based access control you need to store the filename in a database table and auth.add_permission to the group to the record.

You get faster responses and more competent responses if you ask questions to the web2py mailing list.

Boutique answered 17/9, 2010 at 17:31 Comment(4)

I'm pretty sure this won't work with App Engine, since files aren't hosted in a real filesystem. – Amrita 19/9, 2010 at 16:44

It depends. I answered under the assumptions files were provided at development time. In that case it will work on GAE. If we are talking about files uploaded into the app, the web2py solution is easy. Make a table with Field('file','upload',authorize=lambda row: row.author==auth.user_id) and Field('author',db.auth_user,default=auth.user_id) and use form=crud.create(db.thetable) to upload images into the table (subject to the GAE file size limits) This is discussed extensively in chapter 3 of the book and all the examples in there work out of the box in GAE. – Boutique 19/9, 2010 at 21:2

Thanks for the replies Mossimo. I posted here instead of the mailing list because I was hoping for a quick app.yaml solution, but now I've decided to take a completely different approach to my task that doesn't involve using the file on GAE. I'll keep your solution in mind for the future. – Drill 20/9, 2010 at 4:37

any way do replace before sending the file? – Invert 29/6, 2016 at 12:36

Recommended topics

Hot tags