Folder question....routing error

maestro777 · June 26, 2007, 11:03pm

I have this scenario:

A Controller called Product.

I have a folder set up as /app/views/product/product1/documents
and a document called test.pdf residing in the above folder.

I have a view file called full_list.rhtml residing in /app/views/
product/product1.
And in full_list.rhtml I have this link Test.pdf

When I click that link, I get this error:
no route found to match “/product/product1/documents/test.pdf”
with {:method=>:get}

Obviously I’m not doing things right. But I just don’t know what it is
I’m not doing right.

A second question concerning good ROR practices - where in the ROR
directory structure should I put documents (such as test.pdf) that I
wish user to have access to? Since these are restricted documents, I’m
concerned about having them in the public folder.

Any help would be greatly appreciated since I have spent hours trying
to figure this thing out.

Many thanks.
Steve

maestro777 · June 26, 2007, 11:56pm

A second question concerning good ROR practices - where in
the ROR directory structure should I put documents (such as
test.pdf) that I wish user to have access to? Since these are
restricted documents, I’m concerned about having them in the
public folder.

You can put them anywhere but public. Anything in public bypasses rails
and is served directly by the web server. Anyone that knows the URL has
access to the information. I historically have created a sibling
directory to public called protected, and I place my protected documents
there. I then use a route like so:

config/routes.rb

Static content control

map.connect ‘/protected/*path’, :controller => ‘protected’, :action =>
‘render_static’

So that rails will be invoked and call the render_static action on any
attempted access to data in this folder tree. Then, things get a bit
messy. First, you must determine if the requester is authorized to the
material. Then, if the material is an html file, you need to render it
using the ‘render’ method, otherwise, you need to compute the mimetype
of the file and use the ‘send_file’ method to send it. An exercise, as
they say, for the reader.

app/controllers/protected_controller.rb

def render_static(mimetype="", disposition=“inline”)
requested_file = params[:path].to_s

# render or send_file, as you please

end

You probably want to make sure that no one can initiate a directory
traversal attack, via some magic like ‘…/…/…/etc/passwd’ and such
too. I’m not sure if rails protects you from such things or not.
Lastly, if the requested data is not on file, or not authorized, you may
wish to render /public/404.html or similar.

HTH

Regards,
Rich