1👍
✅
Firstly a big warning, what you are doing is dangerous. You are trusting your user to give you a path. You must always sanitize this!
Now to your issue: rather than giving a relative file to the current directory, it is better practice to give an absolute file based on some root media path set in your settings file then do:
sanitized_path = sanitize(request.path) # you'll have to write a sanitize function
media_path = "%s%s" (settings.MEDIA_ROOT, sanitized_path)
if not path.exists(media_path): # Don't trust your visitors too much!
# raise 404
return sendfile(request, media_path)
Source:stackexchange.com