Hey all!
Im building an app at the moment in which users can upload images of
themselves.
The problem is, because these images are stored in the public
directory they are open to the public.
How can I protect these images but still allow access to them in my
views?
thanks
Gavin
On Fri, Jul 3, 2009 at 12:40 PM, Gavin[email protected]
wrote:
views?
thanks
Gavin
You’ll need to explain protect but still allow access.
You could store them in another directory and then use send_file to
send the file after some form of authentication.
You can also do this with nginx (better scalability) via the method I
explain on my blog at
http://ramblingsonrails.com/how-to-protect-downloads-but-still-have-nginx-serve-the-files
A similar method exists for Apache.
Andrew T.
http://ramblingsonrails.com
http://MyMvelope.com - The SIMPLE way to manage your savings
Sorry,
by “still allow access” I simply meant that I could still refer to the
images in my HTML. ( )
send_file isn’t appropriate here ( as far as I’m aware ).
Suppose my profile image is located at “images/3.jpg”. I want to
prevent users from then visiting “images/4.jpg” and checking out
pictures they don’t have access to.
So far, encypting the image name seems to be the only solution.
ie- “images/8dfa7dg6g82h9dhn9njn23knjkknsdf9.jpg”
Making it a little more difficult to ‘guess’ the picture url.
Anybody know of a better way to handle this?
Gavin
On Jul 3, 1:45 pm, Andrew T. [email protected]
Gavin M. wrote:
[…]
send_file isn’t appropriate here ( as far as I’m aware ).
Why not? It sounds like exactly what you want – a way to send an
arbitrary file that isn’t in the public directory.
Suppose my profile image is located at “images/3.jpg”. I want to
prevent users from then visiting “images/4.jpg” and checking out
pictures they don’t have access to.
Then don’t put the images in the public directory. The public directory
is, well, public.
So far, encypting the image name seems to be the only solution.
ie- “images/8dfa7dg6g82h9dhn9njn23knjkknsdf9.jpg”
Making it a little more difficult to ‘guess’ the picture url.
This could work too.
Best,
Marnen Laibow-Koser
http://www.marnen.org
[email protected]
Why not? It sounds like exactly what you want – a way to send an
arbitrary file that isn’t in the public directory.
Isn’t send_file for streaming the file to the user though?
I’m only looking to load the image on screen, I don’t want the users
to actually download a copy of the file.
Thanks
Gavin
Alrighty…
Was not aware of that.
I think in this case it’s best to go with the encrpted filename
option because I’ll might have loads of images to render per page.
Thanks for your help guys.
Gavin
You can send a file inline without streaming for an image (I’m using
this in an application):
send_file path, :type => ‘image/jpeg’, :disposition =>
‘inline’, :stream => false
HTH,
Nicholas
option because I’ll might have loads of images to render per page.
^ apologies for the crap grammar - writing in a hurry today
Just so you know, with the x-sendfile option:
:x_sendfile - uses X-Sendfile to send the file when set to true. This
is currently only available with Lighttpd/Apache2 and specific modules
installed and activated. Since this uses the web server to send the
file, this may lower memory consumption on your server and it will not
block your application for further requests. See
http://blog.lighttpd.net/articles/2006/07/02/x-sendfile and
tn123.ath.cx is offline for details. Defaults to false.
Thanks Nicholas,
I have used send_file before, but I had no idea that the ‘inline’
option was available.
You’ve also helped answer the problem I’ve had with my mp3_player
plugin (http://handyrailstips.com/tips/7-playing-mp3-s-on-your-rails-
site-with-mp3_player)
Thanks again
Gavin