[ckan-dev] Restricting Access to Private Resources on CKAN
Steve Matchett
smatchet at mix.wvu.edu
Thu Jan 30 01:40:20 UTC 2014
Sorry if this is complicated or hard to follow this is my first time
replying to someone on here.
We ran into the same problem as you. What you need to do is override the
route to the download in a plugin using the function before_map in the
interface found here ckan.plugins.interfaces.IGenshiStreamFilter
map.connect('download', '/storage/f/{time}/{file}',
controller=controller, action='download')
The regex /storage/f/{time}/{file} matches the url to download a resource
Now that you have overrode the download function you need to write
your own this is what I have done
def download(self,time,file): if c.user:#checked to see if
logged in. Can also do more checks rootdir =
pylons.config['ofs.storage_dir'] + '/pairtree_root' #path to the file
store of resources bucketdir =
pylons.config['ckan.storage.bucket'] bucketdir =
[bucketdir[i:i + 2] for i in range(0, len(bucketdir), 2)]
bucket = '' for i in bucketdir: bucket =
bucket+'/'+i bucket += '/obj/' #random folder that is added
in the filestore? filepath = str(rootdir+bucket +
time.replace('%3A', ':') + '/' + file)# colon is a key word in address
bar return self._send_file_response(filepath) #return file
else: h.flash_error("You need to be logged in to
download files") return render('home/index.html')
def _send_file_response(self, filepath): #function taken from
http://stackoverflow.com/questions/2413707/stream-a-file-to-the-http-response-in-pylons
user_filename = '_'.join(filepath.split('/')[-1:])
file_size = os.path.getsize(filepath) headers =
[('Content-Disposition', 'attachment; filename=\"' + user_filename +
'\"'), ('Content-Type', 'text/plain'),
('Content-Length', str(file_size))] from paste.fileapp
import FileApp fapp = FileApp(filepath, headers=headers)
return fapp(request.environ, self.start_response)
Hope this helps if you have any other questions about the code or how
to achieve what you are trying to do feel free to email me back :)
On Wed, Jan 29, 2014 at 12:47 PM, Sajan Ravindran
<sajanravindran at gmail.com>wrote:
> Just to add, we are concerned that if the S3 url gets shared, people who
> do not have access to the resource via CKAN's web interface might be able
> to access it.
>
> Thanks again !
> Sajan
>
>
> On Wed, Jan 29, 2014 at 12:30 PM, Sajan Ravindran <
> sajanravindran at gmail.com> wrote:
>
>> Hi,
>>
>> We have currently a setup of CKAN ( 2.1 ) on EC2 and have the filestore
>> installed on S3. Currently, the data which we have is a combination of
>> public and private ( as it needs to be verified ). We are running into an
>> issue with the private resources.
>>
>> Though access to the private resources is restricted via CKAN, once
>> someone gets access to the S3 url of CKAN's filestore, the resource gets
>> easily downloaded. We are especially concerned about this as this data is
>> unverified. Is there any way by which downloading resources via this URL
>> can be restricted without affected CKAN's functionality?
>>
>> Any help would be greatly appreciated.
>>
>> Thanks,
>> Sajan
>>
>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
--
Steven Matchett
Software Engineer -- MATRIC Research
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20140129/813f3745/attachment-0003.html>
More information about the ckan-dev
mailing list