[mod_python] Protecting folders question

Sean Davis sdavis2 at mail.nih.gov
Sun Apr 15 16:15:30 EDT 2007


Olaf Stein wrote:
> Hi all,
>
> I am relatively new to mod_python and tried to find some online docs in this
> topic, have not been very successful though.
>
> Here is the scenario:
>
> I have an app residing with htdocs/apps
> Http.conf entries
> -------
>
> <Directory /usr/local/apache/htdocs/apps/>
>      SetHandler mod_python
>      PythonHandler mod_python.publisher
>      PythonDebug On
> </Directory>
>
> -------
>
> My html templates are sitting outside apps in /usr/local/apache/htdocs/tmpl
> and I read those from there.
>
> I also have a folder /usr/local/apache/htdocs/files where I copy files
> uploaded by the users.
>
> Now, obviously both these directories are viewable with a browser with no
> restrictions (assuming one knows the entire path to a file, including the
> file name).
>
> I do not want anybody to have access those files without going through the
> app.
>
> I protected the directories with htaccess.
> Now I have the problem that the browser wants a username and password when
> the app loads the templates.
>
> The questions are then:
> - Does this setup make sense at all or should I place those folders and
> files somewhere else (e.g within the app handler folder).
>
> - If this makes sense, how can I access the files from within the app
> without having to enter credentials (basically going around the
> authentication process)
>   
The standard way of handling this is to not store those files in the 
htdocs directory.  Just make directories somewhere else in the file 
system and make sure they are readable and writable by the apache user.  
However, do not add a directory block in the http.conf file, so the 
directories will not be visible from the browser. 

Sean


More information about the Mod_python mailing list