[WIP] Fix uploads being world readable #769
Conversation
|
Automated message from Dropbox CLA bot @rahuldeve, it looks like you've already signed the Dropbox CLA. Thanks! |
|
I think you should |
rahuldeve
changed the title
|
@sharmaeklavya2 Thanks for that :) |
zproject/settings.py
Outdated
| @@ -100,6 +100,9 @@ def get_secret(key): | |||
| EXTRA_INSTALLED_APPS = ["zilencer", "analytics"] | |||
| # Disable Camo in development | |||
| CAMO_URI = '' | |||
| SENDFILE_BACKEND = 'sendfile.backends.development' | |||
| #SENDFILE_ROOT = os.path.join(LOCAL_UPLOADS_DIR, 'files') | |||
| #SENDFILE_URL = '/user-uploads/' | |||
There was a problem hiding this comment.
should be /user_uploads/, right?
|
The |
|
OK, took a look at this. Generally what you have so far looks pretty reasonable. A few thoughts: |
rahuldeve
force-pushed
the
word-readable
branch
4 times, most recently
from
e25f3bb
to
19a9571
Compare
|
Added a test case and changed the nginx config file. @timabbott wouldn't the package be installed because of |
|
@rahuldeve We'll package django-sendfile for |
rahuldeve
force-pushed
the
word-readable
branch
2 times, most recently
from
df3b0fd
to
f219d8c
Compare
rahuldeve
force-pushed
the
word-readable
branch
3 times, most recently
from
c0a7310
to
f15b1a4
Compare
|
@timabbott Everything seems to be working fine now. Tested this manually for production in a vagrant box but it would have been better if we could automate it in travis. Also do you have any pointers on how to package |
rahuldeve
force-pushed
the
word-readable
branch
2 times, most recently
from
5ee8d47
to
4bfb71f
Compare
|
Cool, you should be able to add some extra scripts run at the end of tools/travis/production-helper to test the production sendfile configuration... |
|
On the front of packaging, either I'll take care of it or we'll have switched to using requirements.txt in production; either way, don't worry about the apt issue. |
|
@lfaraone do you want to do a quick look at django-sendfile from a security perspective? It's a super simple library. |
|
@timabbott we could just download |
|
As for the tests in production, I'm having trouble automating the login process. For manual testing, I just created a new user and changed its password using manage.py. Also ive added code for an authorization check before an upload is served. So now a user can only get the file if he is either the sender or recipient of that file. If the file is uploaded to a stream, all the members of the stream are considered as recipients. |
|
Also sendfile do require a test to see if it works in production. Now that we have API based endpoints for uploading and downloading, that will be easy. Will probably have to modify the zulip-send api too. |
|
Yeah, I think marking files that predate this feature as realm-readable is pretty reasonable; that's the policy we had at the time those messages were sent, and I think trying to enforce a stricter policy could break things for users. Then we don't need to loop through messages, just through the files. Sounds good re: adding a production test. |
|
@timabbott Ive pushed the necessary migration. |
rahuldeve
force-pushed
the
word-readable
branch
3 times, most recently
from
f8fe61c
to
561230d
Compare
|
@timabbott Ive rebased the whole thing on top of the revert commit. The updated migration should now get all files from either local or s3 and make attachment entries for them. Also I'm not sure if django-sendfile will work in python3 so I put on in the py2_common file. |
|
OK, that's probably reasonable for now (but won't last, since we're close to moving Zulip to Python 3). I posted a comment on johnsensible/django-sendfile#25 and also opened johnsensible/django-sendfile#55. If you're excited to move this forward, you could open a pull request for adding python 3 support and running their tests automatically; I don't think it'd be a hard project. On the front of the migration, I'd like to do something a bit more precise than that using the data we have for attachments in S3; I've been trying to find time to write the migration I want. But my idea was to based it off of the logic we have for iterating through all attachments in the storage mechanism in #673 (with some refactoring). |
rahuldeve
force-pushed
the
word-readable
branch
2 times, most recently
from
81dd185
to
9a1be32
Compare
|
@timabbott Sorry for the late reply, been really busy the past few weeks. Maybe you could tell me what kind of migration you have in mind? I could try to modify the current migration that I wrote and help you out :) |
|
I'd like to actually iterate through all uploaded files to record data like the owner (that's available in the S3 metadata currently) as part of the migration process. |
|
@timabbott The only way we can get the owner details for all the local uploads (including the ones uploaded before the Attachment model migration) is to iterate through all the messages and find out the sender of the first message referring the attachment. Do you plan on using #673 in the zulip upgrade process ? |
|
@rahuldeve that may be probably true for the local file uploads implementation, but not for the S3 implementation -- we encode the original uploader of the file in the S3 metadata. See the I don't plan to use #673 in the upgrade process; it's intended for moving data from one server to another. |
|
Closing in favor of the rebased version #4387. Thanks for all your work on this @rahuldeve! |
Fix for #320. Uploaded files now require an active session to download. Works only in development for now.