How should I properly secure uploaded photos?

Hey guys,

So I’m building a Rails 3 app and one of the major things it needs to
do is let users upload photos into their own photo albums. That part
in and of itself isn’t a problem; where I’m a bit short on knowledge
is the proper way to secure that information.

Say we have 3 users: a, b, c. A and B are friends, C doesn’t know
either one of them. A uploads photos into his/her album, which is
marked to be viewed by “friends only”, so B can see those photos, but
not C.

However, what’s to stop B from grabbing the URL to the photo of A and
then sending it to C over iChat or something? C gets the image pulled
up without even so much as a login.

I might be going a bit overkill here, but with all the recent
discussion in the technology industry about individual privacy, I want
to make sure this problem gets solved RIGHT. The only way I know to
do this off the top of my head is to set the image source as a Ruby
script itself, and have that script (or method in a controller) do the
checks, then if they’re good, retrieve the image and then send the raw
image data down. I’ve done that with PHP before, but truth be told, I
don’t like it because it seems rather inefficient.

Is there a good way to do this, or is it generally acceptable that,
while my app won’t show C any photos of A, those photos aren’t
actually protected from a raw GET request, if somebody knew where to
look?

Thanks :slight_smile:

On Mar 13, 12:47pm, Phoenix R. [email protected] wrote:

image data down. I’ve done that with PHP before, but truth be told, I
don’t like it because it seems rather inefficient.

Doesn’t have to be inefficient with something like X-SendFile. None of
this would stop B just sending the file to C though.

Fred

On Sun, Mar 13, 2011 at 5:47 AM, Phoenix R.
[email protected]wrote:

not C.

However, what’s to stop B from grabbing the URL to the photo of A and
then sending it to C over iChat or something? C gets the image pulled
up without even so much as a login.

Write a rails controller that handles sending images and has auth on it,
or a metal controller that sends the images and checks an expiration
stamp,
associated with the url.

You may have better things to learn or do, before you solve this
properly -
as Fred said - the file can get saved, sent or anything once it is out
of
your system.


make haste slowly
festina lente \

mobile +1_415_632_6001
[email protected] [email protected]
http://robotarmyma.de

It’s easy to use google when you know what to look for: “X-SendFile”.

http://www.therailsway.com/2009/2/22/file-downloads-done-right
Thanks Frederick for the info

Robert Pankowecki

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs