Geoffroy G. wrote:
How can I protect static assets behind authentication.
I’m familliar with protecting dynamic pages but how to protect static
An example would be : someone login to my application, upload a
picture and authorize only some users to see this picture.
How to avoid someone to access the picture, even if this pperson knows
the correct url of the file.
The solution is probably to let rails handle static files, but how to
force this behavior and how to handle differents file types (probably
In most production environments web resources (files under
$RAILS_ROOT/public) are served to the client by the web server (Apache,
Nginx, etc.). Your Rails application, and therefore your authentication,
are not involved at all.
The easiest solution is to move the files you want to deliver outside of
the public folder and serve them to the client from your Rails
application using send_file:
Take special note of the :x_sendfile option. This will basically hand
the bulk of the file streaming back to Apache. With send_file you’ll be
able to control access to the protected files, by whatever means you
wish. You would then be able to send the files just as you would
normally send html to the client using Rails routing and controller