Allow separate storage of offline manifest #1112
Comments
|
The linked PR in Django was relatively painless... It's not up to me but, I'd be inclined to think it reasonable enough here (yes). Would you be prepared to make a PR? |
|
I'll be happy to review and merge a PR with tests & documentation implementing this. |
|
I haven't contributed to django-compressor yet, but I could try a PR, just I cannot promise that for the near future. So if someone else wants to implement that, I'm ok with it ;) |
|
@th3hamm0r — No problem. No rush 😃 — The Django PR you linked should be a nice guide. Welcome aboard! ⛵ |
|
Thanks for those kind responses! Unexpectedly, I've found some time for #1113.
Since the whole manifest code was already separated from the |
|
I'll release a new version with that change in the coming days/weeks, in the meantime you can use the development branch to get it. |
By default the manifest file is stored in the same storage as the compressed files. Usually this is
static/CACHE/manifest.json.The problem with that is, that this gives an easy access to all used files, which can be an issue if some of them are used in protected areas.
Currently, you cannot change that by configuration. Using a relative path for
COMPRESS_OFFLINE_MANIFEST, e.g.../../../manifest.json, won't work, because that will fail due to django's protection against path traversal.In our projects we're using a subclass of
CompressorFileStoragewhich bypasses those checks only for the manifest file, but that's not a clean solution.Solution:
Similar to how django has fixed that same issue for the manifest files of any
ManifestStaticFilesStoragewith django/django#12187 in 4.0, we should also allow to configure a separate file storage for the manifest file.With that it would be possible to store the file in a private directory.
The text was updated successfully, but these errors were encountered: