I am building a django/s3 application with the following behaviour:
- User logs in
- User uploads a document -> document goes to S3 (eventually with a UID name and an alias in the DB?)
- User can download the document
I’m looking for a way to deny the other users (or, even worse, not logged) to query and get access to the files. One solution I could find is:
- for every file, the page has links to a processing script
- when the link is clicked, the view processes it (checks user is authenticated, determines the right file in S3) and redirects to it
Is this enough? Are there more elegant solutions to this?
Don’t make your files public. This will prevent non-authorised users from accessing the files.
Then in your Django app, you can generate urls with a querystring that allows an authorised user to access an S3 file for a limited time.
The amazon docs for querystring request authentication have more information.