Merge pull request #113 from OpenDataServices/restrict-original-link

cove.input: Randomise the original file filename
OpenDataServices · Mar 6, 2023 · 0395ee7 · 0395ee7
2 parents 4124bc0 + 174a3ea
commit 0395ee7
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+# [0.27.0] - 2023-03-06
+
+## Changed
+
+- Randomize the uploaded file subdirectory, to allow coves to hide original files from unauthenticated users
+
 # [0.26.0] - 2023-02-17
 
 ## Changed

diff --git a/cove/input/models.py b/cove/input/models.py
@@ -7,6 +7,8 @@
 import requests
 from django.core.files.base import ContentFile
 from werkzeug.http import parse_options_header
+import secrets
+import string
 
 CONTENT_TYPE_MAP = {
     'application/json': 'json',
@@ -19,13 +21,15 @@
 
 
 def upload_to(instance, filename=''):
-    return os.path.join(str(instance.pk), filename)
+    alphabet = string.ascii_letters + string.digits
+    random_string = "".join(secrets.choice(alphabet) for i in range(16))
+    return os.path.join(str(instance.pk), random_string, filename)
 
 
 class SuppliedData(models.Model):
     id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
     source_url = models.URLField(null=True, max_length=2000)
-    original_file = models.FileField(upload_to=upload_to)
+    original_file = models.FileField(upload_to=upload_to, max_length=256)
     current_app = models.CharField(max_length=20)
 
     created = models.DateTimeField(auto_now_add=True, null=True)
@@ -55,10 +59,10 @@ def get_absolute_url(self):
         return reverse('explore', args=(self.pk,), current_app=self.current_app)
 
     def upload_dir(self):
-        return os.path.join(settings.MEDIA_ROOT, upload_to(self))
+        return os.path.join(settings.MEDIA_ROOT, str(self.pk), '')
 
     def upload_url(self):
-        return os.path.join(settings.MEDIA_URL, upload_to(self))
+        return os.path.join(settings.MEDIA_URL, str(self.pk), '')
 
     def is_google_doc(self):
         return self.source_url.startswith('https://docs.google.com/')

diff --git a/setup.py b/setup.py
@@ -4,7 +4,7 @@
 
 setup(
     name='libcoveweb',
-    version='0.26.0',
+    version='0.27.0',
     author='Open Data Services',
     author_email='[email protected]',
     packages=find_packages(),