Forum: Ruby on Rails Attachment foo - files security

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Zirael (Guest)
on 2009-04-16 15:28
(Received via mailing list)
Hi,

I am using attachment_foo for sharing files between users. Everything
works fine but I am worry about the security.

All files are stored in the public rails folder so any browser can
easily access these files!!
I know that the folder path is specific but probably I could write a
simple script that could find some common file names.

Guys, did you think about that during development?

Is there any way to serve files by rails app. So that I could avoid
storing files in public directory?

Is database good idea? Is it efficient way?

Thank you.
Frederick C. (Guest)
on 2009-04-16 15:39
(Received via mailing list)
On 16 Apr 2009, at 12:27, Zirael wrote:

>
> Guys, did you think about that during development?
>
Use X-sendfile, X-Accel-redirect or generate hard to guess filenames
(ie /1ea39e7eacd783eda093223aebdcdf234/myfile)

Fred
Serafino P. (Guest)
on 2009-04-16 16:03
I had the same problem with some of my projects, where some images or
files had to be accessible only to logged users.

The solution is easy (I'm using file_column but the idea is the same),
when you declare has_attachment you can also select where to save your
files using :path_prefix .

You can set something like :path_prefix => "resources/#{table_name}" or
some other non public directory to avoid accessing the files directly by
passing a url.

To access the files, you call a method in a controller that serves back
the file using the send_file function. Check the api for better info
about it, you can send back the file inline (to be used in an image_tag
for instance) or as a download.

Since the file is sent by a method, it's easy to prevent its download
from non authorized user
This topic is locked and can not be replied to.