python - Django: How to allow a Suspicious File Operation / copy a file

Question

I want to do a SuspiciousFileOperation which django disallows by default.

I am writing a command (to run via manage.py importfiles) to import a given directory structure on the real file system in my self written filestorage in Django.

I think, this is my relevant code:

def _handle_directory(self, directory_path, directory):
    for root, subFolders, files in os.walk(directory_path):
        for filename in files:
            self.cnt_files += 1
            new_file = File(directory=directory, filename=filename, file=os.path.join(root, filename),
                 uploader=self.uploader)
            new_file.save()

The backtrace is:

Traceback (most recent call last):
  File ".manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "C:Python27libsite-packagesdjangocoremanagement\__init__.py", line 399, in execute_from_command_line
    utility.execute()
  File "C:Python27libsite-packagesdjangocoremanagement\__init__.py", line 392, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "C:Python27libsite-packagesdjangocoremanagementase.py", line 242, in run_from_argv
    self.execute(*args, **options.__dict__)
  File "C:Python27libsite-packagesdjangocoremanagementase.py", line 285, in execute
    output = self.handle(*args, **options)
  File "D:DevelopmentgithubPalcoenginefilestoragemanagementcommandsimportfiles.py", line 53, in handle
    self._handle_directory(args[0], root)
  File "D:DevelopmentgithubPalcoenginefilestoragemanagementcommandsimportfiles.py", line 63, in _handle_directory
    new_file.save()
  File "D:DevelopmentgithubPalcoenginefilestoragemodels.py", line 157, in save
    self.sha512 = hashlib.sha512(self.file.read()).hexdigest()
  File "C:Python27libsite-packagesdjangocorefilesutils.py", line 16, in <lambda>
    read = property(lambda self: self.file.read)
  File "C:Python27libsite-packagesdjangodbmodelsfieldsfiles.py", line 46, in _get_file
    self._file = self.storage.open(self.name, 'rb')
  File "C:Python27libsite-packagesdjangocorefilesstorage.py", line 33, in open
    return self._open(name, mode)
  File "C:Python27libsite-packagesdjangocorefilesstorage.py", line 160, in _open
    return File(open(self.path(name), mode))
  File "C:Python27libsite-packagesdjangocorefilesstorage.py", line 261, in path
    raise SuspiciousFileOperation("Attempted access to '%s' denied." % name)
django.core.exceptions.SuspiciousFileOperation: Attempted access to 'D:Tempimportme
eadme.html' denied.

The full model can be found at GitHub. The full command is currently on gist.github.com available.

If you do not want to check the model: the attribute file of my File class is a FileField.

I assume, this problem happens, because I am just "linking" to the file found. But I need to copy it, huh? How can I copy the file into the file?

Answer 1

In Django, SuspiciousFileOperation can be avoid by read the file from external dir and make a tmp file within the project media then save in the appropriate file filed as below

import tempfile

file_name="file_name.pdf"
EXT_FILE_PATH = "/home/somepath/"
file_path = EXT_FILE_PATH + file_name
if exists(file_path):
    #create a named temporary file within the project base , here in media

    lf = tempfile.NamedTemporaryFile(dir='media')
    f = open(file_path, 'rb')
    lf.write(f.read())
    #doc object with file FileField.

    doc.file.save(file_name, File(lf), save=True)
    lf.close()