Fix: Implement tenant-aware file storage for photo isolation

Resolves critical bug where photos of products with the same ID in different tenants were overwriting each other. Implemented complete isolation of media files between tenants using custom Django storage backend. ## Changes ### New Files - products/utils/storage.py: TenantAwareFileSystemStorage backend * Automatically adds tenant_id to file paths on disk * Prevents cross-tenant file access with security checks * Stores clean paths in DB for portability - products/tests/test_multi_tenant_photos.py: Comprehensive tests * 5 tests covering isolation, security, and configuration * All tests passing ✅ - MULTITENANT_PHOTO_FIX.md: Complete documentation ### Modified Files - settings.py: Configured DEFAULT_FILE_STORAGE to use TenantAwareFileSystemStorage - products/models/photos.py: * Converted upload_to from strings to callable functions * Updated ProductPhoto, ProductKitPhoto, ProductCategoryPhoto * Added tenant isolation documentation - products/tasks.py: Added documentation about file structure - products/utils/image_processor.py: Added documentation - products/utils/image_service.py: Added documentation ## Architecture **On disk:** media/tenants/{tenant_id}/products/{entity_id}/{photo_id}/{size}.ext **In DB:** products/{entity_id}/{photo_id}/{size}.ext Tenant ID is automatically added/removed during file operations. ## Security - Storage rejects cross-tenant file access - Proper tenant context validation - Integration with django-tenants schema system ## Testing - All 5 multi-tenant photo tests pass - Verified photo paths are isolated per tenant - Verified storage rejects cross-tenant access - Verified configuration is correct ## Future-proof - Ready for S3 migration (just change storage backend) - No breaking changes to existing code - Clean separation of concerns Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-23 20:05:20 +03:00
parent 122ea807d2
commit ff40a9c1f0
8 changed files with 740 additions and 3 deletions
--- a/myproject/products/utils/image_service.py
+++ b/myproject/products/utils/image_service.py
@@ -11,6 +11,12 @@ class ImageService:
    """
    Сервис для работы с изображениями разных размеров.
    Динамически строит URL на основе пути к оригинальному файлу.
+
+    МУЛЬТИТЕНАНТНОСТЬ:
+    На диске файлы хранятся как: tenants/{tenant_id}/products/{entity_id}/{photo_id}/{size}.ext
+    В БД сохраняется путь БЕЗ tenant_id: products/{entity_id}/{photo_id}/{size}.ext
+    TenantAwareFileSystemStorage автоматически добавляет/удаляет tenant_id при работе с файлами.
+    ImageService работает с путями из БД и генерирует URL, при необходимости системе видны файлы только своего тенанта.
    """

    # Константы для маппинга форматов и расширений файлов