Hi,
I was wondering what would be the best practices to handle a file
managing system that needs to restrict files to users according to their
authentication.
If I were to put all uploaded files in /public/files one can always get
the url from someone else and still be able to download the file, so I
don’t really like that method. I would prefer a before_filter approach,
but there is no such thing when talking about /public
Any ideas?
Roland
try loginGenerator and use another folder to upload the files?
i also would like do what you are doing.
i believe you can just look at session and if its valid, allow them
access to a folder.
Serving up a file download is really just sending the data of that file
in encoded format with the appropriate headers, right? So, conceivably,
you could store the files in an inaccessible folder, and when someone
wants a download, your application checks security, then opens and reads
a file from the inaccessible folder, then encodes and passes the data
back to the requesting user with the appropriate header information for
it to be recived as a file download.
No one else can use that link because it is security-checked against the
user.
Just a thought - I have no idea what kind of performance issues this
might introduce into your application.
Keep in mind also, this prevents someone from passing the link to a
friend, but there’s no way you can keep them from just downloading the
file and sending that to their friend. You haven’t really made the
process of sharing a downloaded file that much more difficult. So, the
question would be do you really want to devote all this effort to what
is, at best, a thin veil of protection?
c.
Roland M. wrote:
mixplate wrote:
try loginGenerator and use another folder to upload the files?
i also would like do what you are doing.
i believe you can just look at session and if its valid, allow them
access to a folder.The authentication portion is not a problem here, however, I prefer the
login/user engine.As you say that’s the logic but actually implementing, it’s what’s
bugging me. Routing to files is done differently than routing to
functions.
Here are the options I am considering but with little promise:
Place permissions on files and change permissions to read/write when
an authenticated user tried to access the file. Drawback: When do you
change back the permissions? Time to transfer is vulnerability time.Storing the files in a database. Drawback: Space issues may affect
database performance.I am sure there has been some RoR project such as a music store or
ebook store that allowed you to download files from, but have not found
a method online yet.Thanks for contributing,
Roland
mixplate wrote:
try loginGenerator and use another folder to upload the files?
i also would like do what you are doing.
i believe you can just look at session and if its valid, allow them
access to a folder.
The authentication portion is not a problem here, however, I prefer the
login/user engine.
As you say that’s the logic but actually implementing, it’s what’s
bugging me. Routing to files is done differently than routing to
functions.
Here are the options I am considering but with little promise:
Place permissions on files and change permissions to read/write when
an authenticated user tried to access the file. Drawback: When do you
change back the permissions? Time to transfer is vulnerability time.
Storing the files in a database. Drawback: Space issues may affect
database performance.
I am sure there has been some RoR project such as a music store or
ebook store that allowed you to download files from, but have not found
a method online yet.
Thanks for contributing,
Roland
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs