[ckan-dev] Restricting Access to Private Resources on CKAN

Steve Matchett smatchet at mix.wvu.edu
Thu Jan 30 01:42:22 UTC 2014


sorry that code might me hard to read here is a link to a dump

http://pastebin.com/rz4BGrGm


On Wed, Jan 29, 2014 at 8:40 PM, Steve Matchett <smatchet at mix.wvu.edu>wrote:

> Sorry if this is complicated or hard to follow this is my first time
> replying to someone on here.
>
> We ran into the same problem as you.  What you need to do is override the
> route to the download in a plugin using the function before_map in the
> interface found here ckan.plugins.interfaces.IGenshiStreamFilter
>
> map.connect('download', '/storage/f/{time}/{file}', controller=controller, action='download')
>
> The regex /storage/f/{time}/{file} matches the url to download a resource
>
>
> Now that you have overrode the download function you need to write your own this is what I have done
>
>
>     def download(self,time,file):        if c.user:#checked to see if logged in. Can also do more checks            rootdir = pylons.config['ofs.storage_dir'] + '/pairtree_root' #path to the file store of resources             bucketdir = pylons.config['ckan.storage.bucket']            bucketdir = [bucketdir[i:i + 2] for i in range(0, len(bucketdir), 2)]            bucket = ''            for i in bucketdir:                bucket = bucket+'/'+i            bucket += '/obj/' #random folder that is added in the filestore?            filepath = str(rootdir+bucket + time.replace('%3A', ':') + '/' + file)# colon is a key word in address bar            return self._send_file_response(filepath) #return file        else:            h.flash_error("You need to be logged in to download files")             return render('home/index.html')         def _send_file_response(self, filepath): #function taken from http://stackoverflow.com/questions/2413707/stream-a-file-to-the-http-response-in-pylons        user_filename = '_'.join(filepath.split('/')[-1:])        file_size = os.path.getsize(filepath)            headers = [('Content-Disposition', 'attachment; filename=\"' + user_filename + '\"'),                   ('Content-Type', 'text/plain'),                   ('Content-Length', str(file_size))]            from paste.fileapp import FileApp        fapp = FileApp(filepath, headers=headers)            return fapp(request.environ, self.start_response)
>
>
> Hope this helps if you have any other questions about the code or how to achieve what you are trying to do feel free to email me back :)
>
>
>
>
>
> On Wed, Jan 29, 2014 at 12:47 PM, Sajan Ravindran <
> sajanravindran at gmail.com> wrote:
>
>> Just to add, we are concerned that if the S3 url gets shared, people who
>> do not have access to the resource via CKAN's web interface might be able
>> to access it.
>>
>> Thanks again !
>> Sajan
>>
>>
>> On Wed, Jan 29, 2014 at 12:30 PM, Sajan Ravindran <
>> sajanravindran at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> We have currently a setup of CKAN ( 2.1 ) on EC2 and have the filestore
>>> installed on S3. Currently, the data which we have is a combination of
>>> public and private ( as it needs to be verified ).  We are running into an
>>> issue with the private resources.
>>>
>>> Though access to the private resources is restricted via CKAN, once
>>> someone gets access to the S3 url of CKAN's filestore, the resource gets
>>> easily downloaded. We are especially concerned about this as this data is
>>> unverified. Is there any way by which downloading resources via this URL
>>> can be restricted without affected CKAN's functionality?
>>>
>>> Any help would be greatly appreciated.
>>>
>>> Thanks,
>>> Sajan
>>>
>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>>
>
>
> --
> Steven Matchett
> Software Engineer -- MATRIC Research
>
>


-- 
Steven Matchett
Software Engineer -- MATRIC Research
West Virginia University - Lane Department of CS
Cell: (973) 945 - 8572
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20140129/aabf8c2f/attachment-0003.html>


More information about the ckan-dev mailing list