File storage location != public

My app allows visitors to upload XML files which I parse, store in the
DB for review / modification, and then create a new XML file. I want to
put the files somewhere other than RAILS_ROOT/public so they’re not
publicly visible during the visit. Like maybe RAILS_ROOT/private. What
would be really cool is if I could somehow ensure that only the app
had access to them. I’d appreciate hearing from anybody who’s got any
experience with storing files like this. Any pointers? Any gotcha’s I
need to look out for?

Thanks,
Bill

Bill W. wrote:

My app allows visitors to upload XML files which I parse, store in the
DB for review / modification, and then create a new XML file. I want to
put the files somewhere other than RAILS_ROOT/public so they’re not
publicly visible during the visit. Like maybe RAILS_ROOT/private. What
would be really cool is if I could somehow ensure that only the app
had access to them. I’d appreciate hearing from anybody who’s got any
experience with storing files like this. Any pointers? Any gotcha’s I
need to look out for?

Two options.

  1. you can stream the files with send_file through a controller (I have
    a Docs controller that does this). This is easy enough for smallish
    files… like XML. But I guess there are memory and performance problems
    if you have to stream large media files.

  2. You can use the same controller as above but instead of streaming
    with Rails, use the X-LIGHTTPD-send-file (or X-Sendfile depending on
    your web server) HTTP header to tell the web server to serve a file that
    isn’t in the document root.

For the latter, you’d need to set the content-type and
content-disposition HTTP headers as appropriate.

-matthew