Include ticket secret in path to new attachments in order to reduce URL guessability.

This commit is contained in:
Timothy Hobbs 2018-10-06 21:23:44 +02:00
parent 7bad004780
commit caaa0e5158
No known key found for this signature in database
GPG Key ID: 9CA9B3D779CEEDE7

View File

@ -781,7 +781,7 @@ def attachment_path(instance, filename):
"""
import os
os.umask(0)
path = 'helpdesk/attachments/%s/%s' % (instance.followup.ticket.ticket_for_url, instance.followup.id)
path = 'helpdesk/attachments/%s-%s/%s' % (instance.followup.ticket.ticket_for_url, instance.followup.ticket.secret_key, instance.followup.id)
att_path = os.path.join(settings.MEDIA_ROOT, path)
if settings.DEFAULT_FILE_STORAGE == "django.core.files.storage.FileSystemStorage":
if not os.path.exists(att_path):