0

I'm making a django project that lets specific users to:

* first, upload a file with specified file-type;
* second, use that file to perform some calculations; and
* third, provide a derivative file for download.

The user can then view the list of all the files that was uploaded including the files uploaded by other users and choose which files to download or delete.

I made an app to manage the user's accounts and another app (core) for file uploads and calculations. Now I want to store the uploaded file in a specific directory so that I can easily access the file for data retrieval.

I tried doing this:

core_app/models.py

def file_path_dir(instance, filename):
    return 'files/{0}/{1}'.format(instance.id, filename)

class Core(models.Model):

    id = models.AutoField(primary_key=True, editable=False)
    date_created = models.DateField(auto_now_add=True)
    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
    csv = models.FileField(upload_to=file_path_dir,
                validators=[FileExtensionValidator(allowed_extensions=['csv'])])  # NOT SAFE

Here, I want the file to be uploaded in a directory using the id that will be stored in the database. However, the file was stored in this directory instead - files/None/filename.

I don't know why it says 'None' when I have successfully saved the file in the database (using postgresql). I need help how to solve this or how to properly do this in order for it to work.

Also, I would like to know the safest/ more secure way of validating file extensions.

Community
  • 1
  • 1
Semb
  • 156
  • 2
  • 20

1 Answers1

1

The file_path_dir is called before an actual save on the database side happens. And the id that you are making use of, is not created yet because the save function isn't called yet.

In order to have the id you need to save the instance and the file in a temporary folder and then move it after you got the id from the database.

But a better way of doing is using something else instead of the id. You can use month, day or even year instead and if you really need something unique for each file directory, you can add a unique field like an extra id or slug and generate it yourself and make use of that.

And for your second question about validating file extensions:

the first step is to check the format which you're already doing and it's usually safe enough depending on the platform. But if you need more security, you can read the file in a safe environment and see if it meets the rules for that type of extension. Or you can use other apps that do that for you and use them in the background.

Navid Zarepak
  • 4,148
  • 1
  • 12
  • 26
  • Sir, I decided to create a separate id in a different class instead so that I could have the id before I could save the file. I plan to make a button in the html template that will trigger the creation of the id in the database in an incremental way. However, I don't know how to do it. Do you have any suggestion/idea? – Semb Oct 25 '19 at 01:15
  • I don't think that's a good idea. There is a reason that Django doesn't control the id or even gives you a way to have it before it actually generated. I recommend creating another unique field that has nothing to do with the database id and use that instead. And you can assign it when you get a request for file upload which will be available in your `upload_to` function too. – Navid Zarepak Oct 25 '19 at 16:31
  • Sir, how can I generate that unique id so that it will have a format of ABCD-yyyy-xxx where ABCD is a constant word, yyyy is the current year, and xxx is an auto-increment integer starting from 001 which will be reset if the current year is updated? Also, how can I call it using a button in html? – Semb Oct 28 '19 at 02:16