Acts_as_attachment and file security

I’ve been experimenting with the acts_as_attachment plugin and I’ve
been pretty happy with it except for one thing.

By default AAA puts the attached files into ‘public/files’, which is
generally world readable. It is possible to bypass any security and
download files directly from that directory if you know the filename.

For my particular needs, I need to ensure that specific files are only
downloaded by authenticated users. Preferably only those with
sufficient permission to access a particular file.

Does anyone have any suggestions for ways to secure uploaded files?

_Kevin

Another example of solving the problem minutes after posting about it.

Pretty easy too.

acts_as_attachment :file_system_path => ‘attachments’

will store the attachments outside of the public directory, so the web
server won’t deliver it.

Then all you need is an action in a controller like this…

def download
@attachment = Attachment.find(params[:id])
send_file “#{@attachment.public_filename}”
end

On 8/31/06, _Kevin [email protected] wrote:

Then all you need is an action in a controller like this…

def download
@attachment = Attachment.find(params[:id])
send_file “#{@attachment.public_filename}”
end

If you need a more custom path, you can override full_filename. Just
look at the how the plugin does it and tweak it to serve your needs.


Rick O.
http://weblog.techno-weenie.net
http://mephistoblog.com

Actually, the method I posted works pretty well, so I see no reason to
change that.

I did run into one problem tho… when trying to get it to create
thumbnails I keep getting errors about a method called
‘find_or_initialize_by…’. If I’m not mistaken, that method only
appears in edge rails right now, and that causes the acts_as_attachment
thumbnailing to fail on any of the standard rails releases.

_Kevin