[ckan-dev] Restricting Access to Private Resources on CKAN

Sajan Ravindran sajanravindran at gmail.com
Thu Jan 30 14:43:34 UTC 2014


Thank you Steve. I will try this out and get back to you.


On Wed, Jan 29, 2014 at 8:42 PM, Steve Matchett <smatchet at mix.wvu.edu>wrote:

> sorry that code might me hard to read here is a link to a dump
>
> http://pastebin.com/rz4BGrGm
>
>
> On Wed, Jan 29, 2014 at 8:40 PM, Steve Matchett <smatchet at mix.wvu.edu>wrote:
>
>> Sorry if this is complicated or hard to follow this is my first time
>> replying to someone on here.
>>
>> We ran into the same problem as you.  What you need to do is override the
>> route to the download in a plugin using the function before_map in the
>> interface found here ckan.plugins.interfaces.IGenshiStreamFilter
>>
>> map.connect('download', '/storage/f/{time}/{file}', controller=controller, action='download')
>>
>> The regex /storage/f/{time}/{file} matches the url to download a resource
>>
>>
>> Now that you have overrode the download function you need to write your own this is what I have done
>>
>>
>>     def download(self,time,file):        if c.user:#checked to see if logged in. Can also do more checks            rootdir = pylons.config['ofs.storage_dir'] + '/pairtree_root' #path to the file store of resources             bucketdir = pylons.config['ckan.storage.bucket']            bucketdir = [bucketdir[i:i + 2] for i in range(0, len(bucketdir), 2)]            bucket = ''            for i in bucketdir:                bucket = bucket+'/'+i            bucket += '/obj/' #random folder that is added in the filestore?            filepath = str(rootdir+bucket + time.replace('%3A', ':') + '/' + file)# colon is a key word in address bar            return self._send_file_response(filepath) #return file        else:            h.flash_error("You need to be logged in to download files")             return render('home/index.html')         def _send_file_response(self, filepath): #function taken from http://stackoverflow.com/questions/2413707/stream-a-file-to-the-http-response-in-pylons        user_filename = '_'.join(filepath.split('/')[-1:])        file_size = os.path.getsize(filepath)            headers = [('Content-Disposition', 'attachment; filename=\"' + user_filename + '\"'),                   ('Content-Type', 'text/plain'),                   ('Content-Length', str(file_size))]            from paste.fileapp import FileApp        fapp = FileApp(filepath, headers=headers)            return fapp(request.environ, self.start_response)
>>
>>
>> Hope this helps if you have any other questions about the code or how to achieve what you are trying to do feel free to email me back :)
>>
>>
>>
>>
>>
>> On Wed, Jan 29, 2014 at 12:47 PM, Sajan Ravindran <
>> sajanravindran at gmail.com> wrote:
>>
>>> Just to add, we are concerned that if the S3 url gets shared, people who
>>> do not have access to the resource via CKAN's web interface might be able
>>> to access it.
>>>
>>> Thanks again !
>>> Sajan
>>>
>>>
>>> On Wed, Jan 29, 2014 at 12:30 PM, Sajan Ravindran <
>>> sajanravindran at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> We have currently a setup of CKAN ( 2.1 ) on EC2 and have the filestore
>>>> installed on S3. Currently, the data which we have is a combination of
>>>> public and private ( as it needs to be verified ).  We are running into an
>>>> issue with the private resources.
>>>>
>>>> Though access to the private resources is restricted via CKAN, once
>>>> someone gets access to the S3 url of CKAN's filestore, the resource gets
>>>> easily downloaded. We are especially concerned about this as this data is
>>>> unverified. Is there any way by which downloading resources via this URL
>>>> can be restricted without affected CKAN's functionality?
>>>>
>>>> Any help would be greatly appreciated.
>>>>
>>>> Thanks,
>>>> Sajan
>>>>
>>>
>>>
>>> _______________________________________________
>>> ckan-dev mailing list
>>> ckan-dev at lists.okfn.org
>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>
>>>
>>
>>
>> --
>> Steven Matchett
>> Software Engineer -- MATRIC Research
>>
>>
>
>
> --
> Steven Matchett
> Software Engineer -- MATRIC Research
> West Virginia University - Lane Department of CS
> Cell: (973) 945 - 8572
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20140130/11f8e8b8/attachment-0003.html>


More information about the ckan-dev mailing list