Restrict static file access to logged in users

by

I want to restrict files to be available to logged in users, but otherwise return a 403 error or similar. For example a user should be able to view/download /static/data/example.csv only if they’re logged in.

I know how to control the actual displaying of the files using Flask-Login if they’re not logged in, but not how to block access to the file if they visit the link directly in their browser.

Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Flask adds a static route to serve static files. When you’re in production, you typically “short circuit” this route so that Nginx serves the files before the request ever gets to your app. Instead of adding this “short circuit”, leave it out and let Flask handle the requests. Overwrite the static route with one that is wrapped by Flask-Login’s login_required.

from flask_login import login_required

app.view_functions['static'] = login_required(app.send_static_file)

This is typically overkill though, since you want truly static files to be served no matter what so that pages look right to non-logged in users (otherwise the CSS wouldn’t even be sent for the login page). Instead, “short circuit” the static folder to be served by Nginx, and define a route that will serve protected files from some other directory, such as the instance folder. See flask.send_from_directory.

import os
from flask import send_from_directory
from flask_login import login_required

@app.route('/protected/<path:filename>')
@login_required
def protected(filename):
    return send_from_directory(
        os.path.join(app.instance_path, 'protected'),
        filename
    )

This will serve files from the directory “protected” in the instance folder to logged in users only. Other restrictions could also be added, such as only allowing certain users access to certain files. Similar to the static path, you can generate a url to a file with:

url_for('protected', filename='data/example.csv')


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x