Is the temporary directory, /tmp, private / only accessible per application?
Documentation that mentions it doesn’t mention security around it, Anvil Docs | Files on Disk
If I recall correctly, from earlier forum posts, it’s not per-application. (That would allow two users of the same application to see each others’ temporary files.)
Instead, it’s actually per browser session. So you could have 5 browser tabs open, all on the same app, all from the same logged-in user, yet each would see their own, unique tmp folder.
You can actually test this, of course. An anvil.server.call() can take 30 seconds to time out. That’s more than enough time to create a file from one tab, hold it open, and use another browser tab to list the folder contents.
I believe that /tmp is private to your app session account, but ephemeral.
As to when it gets wiped is indeterminate, but I would assume that it will only last for the one server call.
edited to reflect @meredydd 's answer below, correcting an error.
Thank you @david.wylie and @p.colbert !
So, I went ahead and tried a test,
- This is one application, Test /tmp directory
- This is a second application, Clone of Test /tmp directory
When you load either, it checks if /tmp/hello_world.txt exists. If it doesn’t, it creates it and returns a message saying so. If not, it returns a message saying it exists.
There’s a delete button that checks if it exists. If it is, it deletes it. If it doesn’t exist, says there’s nothing to delete.
I think the file is being shared between both applications though.
Here’s the code, Anvil | Login
I open each applications in a separate browsers. First says it was created. Second says it exists.
I delete the file on both (you can click twice the delete button for confirmation).
I refresh one. I refresh the other. Same thing. First one creates, second one says it exists.
Could one of you check the application example? I just want to make sure I’m not crazy.
Wow! Using your links, I’m seeing the same behavior. This is completely unexpected. Thank you so much for looking into it!
So, it’s not isolated by session. It’s not isolated by app, either. It looks like /tmp is per Anvil account!
After creating a file with your link, I ran my own copy. It did not see your file. So there’s still isolation on a per-account basis.
Now, within an account, it’s still easy to avoid accidental name collisions, via std lib module tempfile (tempfile — Generate temporary files and directories — Python 3.7.12 documentation). I just wasn’t expecting to need to do that.
2 Likes
Hi @Ruben.Varela,
Different apps within your account may find themselves sharing a filesystem. Best practice is to use a randomly generated filename to avoid conflicting with either other apps or other invocations of the same app – we’ll update that docs page to reflect this 
5 Likes
@p.colbert, thank you for looking and confirming that. I appreciate it.
@meredydd thank you for the reply. Got worried there for a sec. Getting an official reply helps.
I can definitely use a random generated name similarly to mktemp. Thank you both!
@p.colbert Went with tempfile.TemporaryFile, Thank you!
tempfile.TemporaryFile(mode=‘w+b’, buffering=None, encoding=None, newline=None, suffix=None, prefix=None, dir=None )¶Return a file-like object that can be used as a temporary storage area. The file is created securely, using the same rules as
mkstemp(). It will be destroyed as soon as it is closed (including an implicit close when the object is garbage collected). Under Unix, the directory entry for the file is either not created at all or is removed immediately after the file is created. Other platforms do not support this; your code should not rely on a temporary file created using this function having or not having a visible name in the file system.
No reference should stay on the filesystem longer than needed and it’s destroyed once done. On a with open block, that’s as soon as you exit the block.
Edit to add example,
with tempfile.TemporaryFile() as fd:
fd.write(some_string.encode())
fd.seek(0)
# line here to read whatever is needed now
1 Like