How to restrict access to images by user?


#1

Hi,

I have a some image files that belongs to some users. Only the owner of
an
image should be able to see it.
How can I do that?
I don’t think I can use send_data, because I want the image to be
displayed
on a “rendered” page. I don’t think I can place the images in the public
folder, because if some user can figure out the name of the image then
he’ll
be able to see it… what is the correct way to handle this?

Regards,

Nicolas


#2

Take a look at mod_secdownload if you use lighttpd.


#3

Nicolas B. wrote:

Hi,

I have a some image files that belongs to some users. Only the owner of
an
image should be able to see it.
How can I do that?
I don’t think I can use send_data, because I want the image to be
displayed
on a “rendered” page. I don’t think I can place the images in the public
folder, because if some user can figure out the name of the image then
he’ll
be able to see it… what is the correct way to handle this?

Regards,

Nicolas

You could use file_column and store the image file information in the
database–they’d still live in your file system, but they’d be available
as an ActiveRecord model which you could filter and display however you
needed.

Jeff C.man


#4

On 20/04/2006, at 7:15 PM, Nicolas B. wrote:

I don’t think I can use send_data, because I want the image to be
displayed on a “rendered” page.

def inline_image
image = Image.find(params[:id])

 if image.nil?
     redirect_to '/404.html' and return
 end

 if authorised_to_view?(session[:user], image)
     send_data image.data, :filename => image.file_name, :type =>

image.mime_type, :disposition => ‘inline’
else
redirect_to :controller => ‘images’, :action => ‘list’ and
return
end
end