#28540 closed Cleanup/optimization (fixed)
Document changes to file upload permissions in Django 1.11
Reported by: | Yaroslav Demidenko | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 1.11 |
Severity: | Normal | Keywords: | ImageField, save, permissions |
Cc: | Simen Heggestøyl, Keryn Knight | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
This bug find in prod server (nginx, supervisor + gunicorn)
I have models: MainModel()
and
SubModel(models.Model): main_id = FK(MainModel) im1 = ImageField() im2 = ImageField() im3 = ImageField()
When I fill SubModel
object in admin (as InlineAdmin) and click save button, all images are saved, but permissions == 0600.
If I fill any two imgs (or one), all is well.
Django 1.10.5 - this bug not found.
Sorry for my English.
Change History (18)
comment:1 by , 7 years ago
Description: | modified (diff) |
---|
comment:2 by , 7 years ago
Resolution: | → needsinfo |
---|---|
Status: | new → closed |
comment:3 by , 7 years ago
Been hitting the same issue although it's somewhat inconsistent. Some context:
- Only have one FileField on the model.
- So far, it's been happening and reproduced on production with only one file (24 uploaded files)
We'll set FILE_UPLOAD_PERMISSIONS
and see if that fixes the issue.
Meanwhile, here's the raw unedited model. I don't think it has anything fancy and no signal:
@python_2_unicode_compatible class Livret(models.Model): bDisplay = models.BooleanField("Utilisé ce semestre", default=True) nom = models.CharField(_("Nom"), max_length=255, blank=False, null=False) file = models.FileField(_("Fichier"), upload_to="PDF") infos = models.TextField(blank=True, null=True) tags = TaggableManager(blank=True) events = models.ManyToManyField(Event, related_name='livrets', verbose_name=("Events"), blank=True) def __str__(self): return self.nom
comment:4 by , 7 years ago
Cc: | added |
---|---|
Resolution: | needsinfo |
Status: | closed → new |
We've hit the same issue, and I've identified f734e2d4b2fc4391a4d097b80357724815c1d414 as the offending commit.
The issue seems to be that when FILE_UPLOAD_PERMISSIONS
is None
, the default system permissions are used. This worked fine for us, because our system default is 644, which is what we wanted. After f734e2d4b2fc4391a4d097b80357724815c1d414 however, when the uploaded file is sufficiently large, the system's permissions for temporary files is used instead (which was 600 in our case).
Setting FILE_UPLOAD_PERMISSIONS
explicitly fixes the issue, but I think this behavioral change should be mentioned in the release notes.
comment:5 by , 7 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:6 by , 7 years ago
Component: | File uploads/storage → Documentation |
---|---|
Summary: | When you save three or more ImageField in admin file perm = 0o600 → Document changes to file upload permissions in Django 1.11 |
Type: | Bug → Cleanup/optimization |
The behavior might also be mentioned somewhere in the file upload documentation.
comment:7 by , 7 years ago
Are you sure that we should consider this a documentation bug? I think it doesn't make sense to use different permissions depending on the file size.
I know I am late to the party, but just in case it is of any use, I set up a minimal project that demonstrates the issue: https://github.com/rfleschenberg/django-file-upload-bug
comment:9 by , 7 years ago
Cc: | added |
---|
comment:11 by , 7 years ago
As I mentioned in the PR discussion, the new behavior seems consistent with the original documentation added with the introduction of the FILE_UPLOAD_PERMISSIONS
setting:
On most platforms, temporary files will have a mode of
0600
, and files saved from memory will be saved using thesystem's standard umask.
By default, MemoryFileUploadHandler
is used for files up to settings.FILE_UPLOAD_MAX_MEMORY_SIZE
, otherwise TemporaryFileUploadHandler
is used.
If we decide not to make a change (probably the discussion should move to django-developers), then we could at least add a note to the deployment checklist. Carlton proposed adding a system check that warns if the FILE_UPLOAD_PERMISSIONS
setting isn't set but that feels a bit heavy handed as none of the open source Django projects I checked have specified this setting so presumably it isn't a common issue.
comment:12 by , 6 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
The django-developers discussion about changing the upload behavior hasn't received any replies. I'll proceed with the documentation patches, and we can open a new ticket if there's a later consensus to make a code change.
Have you set
settings.FILE_UPLOAD_PERMISSIONS
? Can you reproduce the problem in a non-production environment? It's unclear if someone could reproduce the problem based on the little information you provided. Can you provide a minimal sample project that reproduces the issue? Can you bisect the regression to determine where the behavior changed?