Set default attachment permissions to 0700, to address #591

2024-12-13 10:21:05 +01:00 · 2020-07-27 19:50:25 -04:00 · 2020-07-27 19:50:25 -04:00 · 0a712381e0
commit 0a712381e0
parent fcde14b82c
2 changed files with 4 additions and 3 deletions
--- a/docs/install.rst
+++ b/docs/install.rst
@ -100,11 +100,11 @@ errors with trying to create User settings.

   (substitute www-data for the user / group that your web server runs as, eg 'apache' or 'httpd')

-   If all else fails ensure all users can write to it::
+   If all else fails, you could ensure all users can write to it::

      chmod 777 attachments/

-   This is NOT recommended, especially if you're on a shared server.
+   But this is NOT recommended, especially if you're on a shared server.

 6. Ensure that your ``attachments`` folder has directory listings turned off, to ensure users don't download files that they are not specifically linked to from their tickets.

--- a/helpdesk/models.py
+++ b/helpdesk/models.py
@ -763,7 +763,8 @@ def attachment_path(instance, filename):
    att_path = os.path.join(settings.MEDIA_ROOT, path)
    if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
        if not os.path.exists(att_path):
-            os.makedirs(att_path, 0o777)
+            # TODO: is there a better way to handle directory permissions more consistently?
+            os.makedirs(att_path, 0o700)
    return os.path.join(path, filename)