Restricting access to files uploaded by file_column


#1

Hi Guys,

Does anyone know how to restrict access on files that you upload in file
column to certain users only? I notice that files being saved by the
file_column by default are being saved under the public folder and can
be accessed just by typing the URL directly. Let’s say you have a Login
system where you restrict access to some pages and allow those users to
upload their own files, I also want those files to be secured and only
allow users who uploaded those files to be able to access it.

Thanks.

Regards,
Dons


#2

Does anyone have an idea how to do this or if it’s possible? Aside from
this one the only thing I could think of to secure the data is storing
the files to the database which I’m trying to avoid.


#3

That would only provide true protection if the images were stored in the
database - something Donald is trying to avoid.

This is a problem that has trouble many a web developer over the years.
A common method is to run all of your images via script that redirects
to the image:


class ImageController < ApplicationController
def view
redirect_to(’/images/’+params[:image])
end
end

(Note: i have no idea whether the above would work - it should
demonstrate the idea though)

In that case you apply the before_filter as usual. However, this still
would protect the images fully as you could still manually type the
address in. That would require guesswork of course and if you kept the
image names/dirs as numbers mapping to filenames in the db (1234 =>
‘imagename.jpg’) it should be reasonably secure.

If you need things to be more secure than that, you could store the
images in a non-web accessible dir and open the images server side to
push to the browser - that’d probably incur a fairly big processing hit
though :0)

I don’t know whether you could use htaccess to deny or allow directories
based cookies or something - in which case you could set a value that
apache picks up when the file is requested.

Anyway - a lot of that is rambling but hopefully some of it is useful
:0)

Steve


#4

I’m doing something similar. When you upload a file, associate the user
who did the upload with the file.

Then when someone tries to access a file, run a before filter on the
action that allows people to access a file.
In the before filter check if the person trying to access the file is
the same person who uploaded the file.

-Steven


#5

I think my situation is a bit different as I am not displaying files,
but allowing people to download them.
I’ve put the directory that stores the images below the web root and
since the downloads are one offs, opening
the file server side isn’t really a problem.

I’m probably talking out of my %$^#&*, but what if you used AJAX? For
each image you want to display, make an
Ajax call to the relevant controller::action. Yes this would be slower
than having the webserver send the image without
getting ruby involved, but might it be fast enough?

-Steven


#6

What I did is put it in a directory not accessible to the web server,
and serve it with send_file. Still beats storing it in the DB. But for
publicly accessible files I also did a special rewrite on lighty (a
similar thing could be done with apache) to point to symlinks into the
private area.

This way public files can be accessed without Rails interaction, but
private files still go through rails with all the security.

I described what I did (it’s a bit different now and I can help you
get it going if you need to) so you can see how to do it on your
system:

http://devblog.famundo.com/articles/2006/03/22/smart-caching-and-mod_rewrite-black-magic

Bye,

Guy.


#7

Does anyone know how to restrict access on files that you upload in file
column to certain users only? I notice that files being saved by the
file_column by default are being saved under the public folder and can
be accessed just by typing the URL directly. Let’s say you have a Login
system where you restrict access to some pages and allow those users to
upload their own files, I also want those files to be secured and only
allow users who uploaded those files to be able to access it.

In my branch of file_column (http://svn.kylemaxwell.com/file_column/),
i use a salted SHA1 hash of the primary key for the image storage
folder. It’s not truly secure, per se, but you can’t guess the file
name.


Kyle M.
Chief Technologist
E Factor Media // FN Interactive
removed_email_address@domain.invalid
1-866-263-3261