Using Django Authorisation for media files access in Apache

In my model File I have a pointer and a group field. Only when an authenticated user is in one of the groups of group access is allowed to the file in pointer.

from django.db import models
from django.contrib.auth.models import Group

class File(models.Model):
  pointer = models.FileField()
  group = models.ManyToManyField(Group)

Now I want Apache to follow this by using the Django authorisation. For this I’ve written a middleware script in Django which works fine when using the Django test webserver (python runserver).

from django.http import HttpRequest, HttpResponseForbidden

from .models import File

class MediaAccessMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request: HttpRequest):
        if request.path_info.startswith('/media/'):
            if not request.user.is_authenticated:
                return HttpResponseForbidden('You may not enter...')
                path = request.path_info.strip('/media/')
                file = File.objects.filter(pointer=path)
                if file:
                    f_groups = file[0].group
                    f_set = set(f_groups.values_list('name', flat=True))
                    f_set = set()
                ug_set = set(request.user.groups.values_list('name', flat=True))
                if not ug_set.intersection(f_set):
                    return HttpResponseForbidden('Access denied because you\'re not in the right group')
        return self.get_response(request)

However I cannot get this to work with Apache using mod_wsgi. Below is an excerpt of my Apache conf-script:

WSGIDaemonProcess ${url} python-home=${envPath} python-path=${basePath}:${projectPath} user=${userName} group=${groupName}
WSGIScriptAlias /${url} ${projectPath}/ process-group=${url}
WSGIApplicationGroup %{GLOBAL}

<Location /${url}>
        WSGIProcessGroup ${url}

Alias /${url}/media/ ${mediaPath}
<Directory ${mediaPath}>
    Require valid-user
    AuthBasicProvider wsgi
    WSGIAuthUserScript ${projectPath}/

<Location "/${url}/secret">
    AuthType Basic
    AuthName "Top Secret"
    Require valid-user
    AuthBasicProvider wsgi
    WSGIAuthUserScript ${projectPath}/

<Directory ${projectPath}>
           Require all granted

Can someone help me with this?

Kind regards,

1 Like