Offering downloads only to registered users


#1

I’m writing an app for a blood exam center, where people can go and
check
the results without going physically there. The customers log in the
system
and a pdf download is offered to them. The downloads though will not be
stored in the db but in the filesystem.

How can I allow people to download files only if they’re authorised? I
obviously can’t store all the files in /public because once someone
figures
the naming scheme they’re able to view other customers’ data.

Any suggestion?


#2

You’ll need to check if the user is authorized, and then do a send_file.

cheers
mat


From: removed_email_address@domain.invalid
[mailto:removed_email_address@domain.invalid] On Behalf Of Giovanni
Intini
Sent: Dienstag, 11. April 2006 13:27
To: removed_email_address@domain.invalid
Subject: [Rails] Offering downloads only to registered users

I’m writing an app for a blood exam center, where people can go and
check
the results without going physically there. The customers log in the
system
and a pdf download is offered to them. The downloads though will not be
stored in the db but in the filesystem.

How can I allow people to download files only if they’re authorised? I
obviously can’t store all the files in /public because once someone
figures
the naming scheme they’re able to view other customers’ data.

Any suggestion?


#3

you have many options: let rails provide the downloads (generally bad
idea,
but very simple to implement), S3 storage API from amazon, or my
preferred
solution: Lighttpd with mod_secdownload.


#4

2006/4/11, Matthias W. removed_email_address@domain.invalid:

You’ll need to check if the user is authorized, and then do a send_file.

I didn’t look into send_file, thanks.


#5

2006/4/11, Roberto S. removed_email_address@domain.invalid:

you have many options: let rails provide the downloads (generally bad
idea, but very simple to implement), S3 storage API from amazon, or my
preferred solution: Lighttpd with mod_secdownload.

Why do you think sending it via rails is a bad idea? And do you have any
pointers to mod_secdownload documentation?


#6

On Apr 11, 2006, at 4:27 AM, Giovanni I. wrote:

How can I allow people to download files only if they’re
authorised? I obviously can’t store all the files in /public
because once someone figures the naming scheme they’re able to view
other customers’ data.

Any suggestion?

Although probably not the best way, this worked well for me because I
had literally thousands of different files which needed authorized
access. Each account only had access to a unique subset of those
thousands of files, and some files were larger than 1 GB. I was using
Apache, so I don’t know how well this will work with lighttpd. This
is how I did it:

  1. Place the secure files into a private directory.
  2. When an account needs access to a file, create a public directory
    with a unique name (impossible to guess).
  3. Create a symbolic link in the new public directory linking to the
    file in the private directory.
  4. When you want the link to expire, just remove the sym link and/or
    public directory.

Of course, this was all scripted so nothing had to be done manually.
If you are just dealing with small files or only one file, there are
definitely better ways to handle this.

Hope that helps.

Ryan


#7

Hi,

Does anyone know of a library for ruby on rails to integrate S3 storage
and only allow authorized downloads? I did a little bit of searching
and found rsh3ll for ruby, but didn’t find anyone talking about
integrating this with rails.

I don’t know too much about S3, but is it possible to grant one of the
users of my site limited access to download one file, for say a 24hour
period?

If anyone has ideas or links to good articles, please send them my way.
Thanks.

Roberto S. wrote:

you have many options: let rails provide the downloads (generally bad
idea,
but very simple to implement), S3 storage API from amazon, or my
preferred
solution: Lighttpd with mod_secdownload.


#8

Hi,

There’s a ruby library available at the aws site:
http://developer.amazonwebservices.com/connect/entry.jspa?externalID=135&categoryID=47

and check this out, too: http://townx.org/blog/elliot/s3_rails

Hope this helps,
Damien