Set default attachment permissions to 0700, to address #591

2025-08-16 10:57:58 +02:00 · 2020-07-27 19:50:25 -04:00
parent fcde14b82c
commit 0a712381e0
2 changed files with 4 additions and 3 deletions
--- a/helpdesk/models.py
+++ b/helpdesk/models.py
@ -763,7 +763,8 @@ def attachment_path(instance, filename):
    att_path = os.path.join(settings.MEDIA_ROOT, path)
    if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
        if not os.path.exists(att_path):
-            os.makedirs(att_path, 0o777)
+            # TODO: is there a better way to handle directory permissions more consistently?
+            os.makedirs(att_path, 0o700)
    return os.path.join(path, filename)