{
  "id": "django__django-10914",
  "question": "Set default FILE_UPLOAD_PERMISSION to 0o644.\nDescription\n\t\nHello,\nAs far as I can see, the ​File Uploads documentation page does not mention any permission issues.\nWhat I would like to see is a warning that in absence of explicitly configured FILE_UPLOAD_PERMISSIONS, the permissions for a file uploaded to FileSystemStorage might not be consistent depending on whether a MemoryUploadedFile or a TemporaryUploadedFile was used for temporary storage of the uploaded data (which, with the default FILE_UPLOAD_HANDLERS, in turn depends on the uploaded data size).\nThe tempfile.NamedTemporaryFile + os.rename sequence causes the resulting file permissions to be 0o0600 on some systems (I experience it here on CentOS 7.4.1708 and Python 3.6.5). In all probability, the implementation of Python's built-in tempfile module explicitly sets such permissions for temporary files due to security considerations.\nI found mentions of this issue ​on GitHub, but did not manage to find any existing bug report in Django's bug tracker.\n",
  "answer": "{\"task_id\": \"17191681-f690-4439-b402-de292a846554\", \"workflow_run_id\": \"497808b9-00c6-44d6-a4e0-cc9a1cf823c0\", \"data\": {\"id\": \"497808b9-00c6-44d6-a4e0-cc9a1cf823c0\", \"workflow_id\": \"9a0a6efa-4d15-4876-b13f-4fb6a999caa2\", \"status\": \"succeeded\", \"outputs\": {\"final_patch\": [\"--- a/django/conf/global_settings.py\\n+++ b/django/conf/global_settings.py\\n@@ -500,7 +500,7 @@ FILE_UPLOAD_TEMP_DIR = None\\n # The numeric mode to set newly-uploaded files to. The value should be a mode\\n # you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories.\\n-FILE_UPLOAD_PERMISSIONS = None\\n+FILE_UPLOAD_PERMISSIONS = 0o644\\n \\n # The numeric mode to assign to newly-created directories, when uploading files.\\n # The value should be a mode as you'd pass to os.chmod;\", \"--- a/django/core/files/storage.py\\n+++ b/django/core/files/storage.py\\n@@ -250,6 +250,10 @@ class FileSystemStorage(Storage):\\n             # This file has a file path that we can move.\\n             if hasattr(content, 'temporary_file_path'):\\n                 file_move_safe(content.temporary_file_path(), full_path)\\n+                # Apply default permissions if not explicitly set\\n+                if self.file_permissions_mode is None:\\n+                    os.chmod(full_path, 0o644)\\n+                else:\\n+                    os.chmod(full_path, self.file_permissions_mode)\\n             else:\\n                 # This is a normal uploadedfile that we can stream.\\n                 # This fun binary flag incantation makes os.open throw an\", \"--- a/django/conf/global_settings.py\\n+++ b/django/conf/global_settings.py\\n@@ -500,7 +500,7 @@ FILE_UPLOAD_TEMP_DIR = None\\n # The numeric mode to set newly-uploaded files to. The value should be a mode\\n # you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories.\\n-FILE_UPLOAD_PERMISSIONS = None\\n+FILE_UPLOAD_PERMISSIONS = 0o644\\n \\n # The numeric mode to assign to newly-created directories, when uploading files.\\n # The value should be a mode as you'd pass to os.chmod;\", \"--- a/django/core/files/storage.py\\n+++ b/django/core/files/storage.py\\n@@ -200,6 +200,11 @@ class FileSystemStorage(Storage):\\n         self._location = location\\n         self._base_url = base_url\\n         self._file_permissions_mode = file_permissions_mode\\n+    \\n+    @property\\n+    def file_permissions_mode(self):\\n+        \\\"\\\"\\\"Return file permissions mode, defaulting to 0o644 if None.\\\"\\\"\\\"\\n+        return self._file_permissions_mode if self._file_permissions_mode is not None else 0o644\\n \\n     @cached_property\\n     def base_location(self):\", \"--- a/django/core/files/storage.py\\n+++ b/django/core/files/storage.py\\n@@ -265,7 +265,8 @@ class FileSystemStorage(Storage):\\n                     fd.write(chunk)\\n \\n         if self.file_permissions_mode is not None:\\n-            os.chmod(full_path, self.file_permissions_mode)\\n+            os.chmod(full_path, self.file_permissions_mode)\\n+        else:\\n+            os.chmod(full_path, 0o644)\\n \\n         # Store the final file size in the payload.\\n         content.size = len(content)\", \"diff\\n--- a/django/conf/global_settings.py\\n+++ b/django/conf/global_settings.py\\n@@ -500,7 +500,7 @@ FILE_UPLOAD_TEMP_DIR = None\\n # The numeric mode to set newly-uploaded files to. The value should be a mode\\n # you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories.\\n-FILE_UPLOAD_PERMISSIONS = None\\n+FILE_UPLOAD_PERMISSIONS = 0o644\\n \\n # The numeric mode to assign to newly-created directories, when uploading files.\\n # The value should be a mode as you'd pass to os.chmod;\\n--- a/django/core/files/storage.py\\n+++ b/django/core/files/storage.py\\n@@ -250,6 +250,8 @@ class FileSystemStorage(Storage):\\n             # This file has a file path that we can move.\\n             if hasattr(content, 'temporary_file_path'):\\n                 file_move_safe(content.temporary_file_path(), full_path)\\n+                # Ensure consistent permissions after moving from temp file\\n+                os.chmod(full_path, self.file_permissions_mode or 0o644)\\n             else:\\n                 # This is a normal uploadedfile that we can stream.\\n                 # This fun binary flag incantation makes os.open throw an\\n@@ -265,7 +267,7 @@ class FileSystemStorage(Storage):\\n                     fd.write(chunk)\\n \\n         if self.file_permissions_mode is not None:\\n             os.chmod(full_path, self.file_permissions_mode)\\n+        else:\\n+            os.chmod(full_path, 0o644)\\n \\n         # Store the final file size in the payload.\\n         content.size = len(content)\\n\", \"diff\\n--- a/django/conf/global_settings.py\\n+++ b/django/conf/global_settings.py\\n@@ -500,7 +500,7 @@ FILE_UPLOAD_TEMP_DIR = None\\n # The numeric mode to set newly-uploaded files to. The value should be a mode\\n # you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories.\\n-FILE_UPLOAD_PERMISSIONS = None\\n+FILE_UPLOAD_PERMISSIONS = 0o644\\n \\n # The numeric mode to assign to newly-created directories, when uploading files.\\n # The value should be a mode as you'd pass to os.chmod;\\n--- a/django/core/files/storage.py\\n+++ b/django/core/files/storage.py\\n@@ -250,6 +250,8 @@ class FileSystemStorage(Storage):\\n             # This file has a file path that we can move.\\n             if hasattr(content, 'temporary_file_path'):\\n                 file_move_safe(content.temporary_file_path(), full_path)\\n+                # Ensure consistent permissions after moving from temp file\\n+                os.chmod(full_path, self.file_permissions_mode or 0o644)\\n             else:\\n                 # This is a normal uploadedfile that we can stream.\\n                 # This fun binary flag incantation makes os.open throw an\\n@@ -265,7 +267,8 @@ class FileSystemStorage(Storage):\\n                     fd.write(chunk)\\n \\n         if self.file_permissions_mode is not None:\\n             os.chmod(full_path, self.file_permissions_mode)\\n+        else:\\n+            os.chmod(full_path, 0o644)\\n \\n         # Store the final file size in the payload.\\n         content.size = len(content)\\n\", \"diff\\n--- a/django/conf/global_settings.py\\n+++ b/django/conf/global_settings.py\\n@@ -500,7 +500,7 @@ FILE_UPLOAD_TEMP_DIR = None\\n # The numeric mode to set newly-uploaded files to. The value should be a mode\\n # you'd pass directly to os.chmod; see https://docs.python.org/library/os.html#files-and-directories.\\n-FILE_UPLOAD_PERMISSIONS = None\\n+FILE_UPLOAD_PERMISSIONS = 0o644\\n \\n # The numeric mode to assign to newly-created directories, when uploading files.\\n # The value should be a mode as you'd pass to os.chmod;\\n--- a/django/core/files/storage.py\\n+++ b/django/core/files/storage.py\\n@@ -250,6 +250,8 @@ class FileSystemStorage(Storage):\\n             # This file has a file path that we can move.\\n             if hasattr(content, 'temporary_file_path'):\\n                 file_move_safe(content.temporary_file_path(), full_path)\\n+                # Ensure consistent permissions after moving from temp file\\n+                os.chmod(full_path, self.file_permissions_mode or 0o644)\\n             else:\\n                 # This is a normal uploadedfile that we can stream.\\n                 # This fun binary flag incantation makes os.open throw an\\n@@ -265,7 +267,8 @@ class FileSystemStorage(Storage):\\n                     fd.write(chunk)\\n \\n         if self.file_permissions_mode is not None:\\n             os.chmod(full_path, self.file_permissions_mode)\\n+        else:\\n+            os.chmod(full_path, 0o644)\\n \\n         # Store the final file size in the payload.\\n         content.size = len(content)\\n\"]}, \"error\": \"\", \"elapsed_time\": 96.620355, \"total_tokens\": 35824, \"total_steps\": 30, \"created_at\": 1754646817, \"finished_at\": 1754646914}}"
}