Change the way to generate attachment resource path.

settings/common.py

@@ -58,8 +58,6 @@ SEND_BROKEN_LINK_EMAILS = True
 IGNORABLE_404_ENDS = (".php", ".cgi")
 IGNORABLE_404_STARTS = ("/phpmyadmin/",)
 
-
-# Default django tz/i18n config
 ATOMIC_REQUESTS = True
 TIME_ZONE = "UTC"
 LANGUAGE_CODE = "en"
@@ -94,13 +92,21 @@ EVENTS_PUSH_BACKEND = "taiga.events.backends.postgresql.EventsPushBackend"
 # Message System
 MESSAGE_STORAGE = "django.contrib.messages.storage.session.SessionStorage"
 
-# Static configuration.
-MEDIA_ROOT = os.path.join(BASE_DIR, "media")
-MEDIA_URL = "/media/"
-STATIC_ROOT = os.path.join(BASE_DIR, "static")
+# The absolute url is mandatory because attachments
+# urls depends on it. On production should be set
+# something like https://media.taiga.io/
+MEDIA_URL = "http://localhost:8000/media/"
+
+# Static url is not widelly used by taiga (only
+# if admin is activated).
 STATIC_URL = "/static/"
 ADMIN_MEDIA_PREFIX = "/static/admin/"
 
+# Static configuration.
+MEDIA_ROOT = os.path.join(BASE_DIR, "media")
+STATIC_ROOT = os.path.join(BASE_DIR, "static")
+
+
 STATICFILES_FINDERS = [
     "django.contrib.staticfiles.finders.FileSystemFinder",
     "django.contrib.staticfiles.finders.AppDirectoriesFinder",

taiga/projects/attachments/models.py

@@ -14,25 +14,32 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import time
+import hashlib
+import os
+import os.path as path
 
 from django.db import models
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.contenttypes import generic
-from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone
+from django.utils.encoding import force_bytes
+from django.utils.translation import ugettext_lazy as _
+
+from taiga.base.utils.iterators import split_by_n
 
 
 def get_attachment_file_path(instance, filename):
-    template = "attachment-files/{project}/{model}/{stamp}/{filename}"
-    current_timestamp = int(time.mktime(timezone.now().timetuple()))
+    basename = path.basename(filename).lower()
 
-    upload_to_path = template.format(stamp=current_timestamp,
-                                     project=instance.project.slug,
-                                     model=instance.content_type.model,
-                                     filename=filename)
-    return upload_to_path
+    hs = hashlib.sha256()
+    hs.update(force_bytes(timezone.now().isoformat()))
+    hs.update(os.urandom(1024))
+
+    p1, p2, p3, p4, *p5 = split_by_n(hs.hexdigest(), 1)
+    hash_part = path.join(p1, p2, p3, p4, "".join(p5))
+
+    return path.join("attachments", hash_part, basename)
 
 
 class Attachment(models.Model):

taiga/projects/attachments/serializers.py

@@ -39,15 +39,4 @@ class AttachmentSerializer(serializers.ModelSerializer):
         read_only_fields = ("owner", "created_date", "modified_date")
 
     def get_url(self, obj):
-        token = None
-
-        url = reverse("attachment-url", kwargs={"pk": obj.pk})
-        if "request" in self.context and self.context["request"].user.is_authenticated():
-            user_id = self.context["request"].user.id
-            token_src = "{}-{}-{}".format(settings.ATTACHMENTS_TOKEN_SALT, user_id, obj.id)
-            token = hashlib.sha1(token_src.encode("utf-8"))
-
-            return "{}?user={}&token={}".format(url, user_id, token.hexdigest())
-
-        return url
-
+        return obj.attached_file.url