Protecting static assets

How can I protect static assets behind authentication.
I’m familliar with protecting dynamic pages but how to protect static
files?

An example would be : someone login to my application, upload a
picture and authorize only some users to see this picture.
How to avoid someone to access the picture, even if this pperson knows
the correct url of the file.

The solution is probably to let rails handle static files, but how to
force this behavior and how to handle differents file types (probably
through sendfile).

Greetz

Geoffroy G. wrote:

How can I protect static assets behind authentication.
I’m familliar with protecting dynamic pages but how to protect static
files?

An example would be : someone login to my application, upload a
picture and authorize only some users to see this picture.
How to avoid someone to access the picture, even if this pperson knows
the correct url of the file.

The solution is probably to let rails handle static files, but how to
force this behavior and how to handle differents file types (probably
through sendfile).

In most production environments web resources (files under
$RAILS_ROOT/public) are served to the client by the web server (Apache,
Nginx, etc.). Your Rails application, and therefore your authentication,
are not involved at all.

The easiest solution is to move the files you want to deliver outside of
the public folder and serve them to the client from your Rails
application using send_file:

http://railsapi.com/doc/rails-v2.3.5/classes/ActionController/Streaming.html#M001587

Take special note of the :x_sendfile option. This will basically hand
the bulk of the file streaming back to Apache. With send_file you’ll be
able to control access to the protected files, by whatever means you
wish. You would then be able to send the files just as you would
normally send html to the client using Rails routing and controller
actions.

Thank you, it was a big helper.

I found all I needed thanks to you.

Cheers

Geoffroy

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs