Forum: Ruby on Rails Offering downloads only to registered users

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
4b9ddc0a8f597b5145d676a205b1a615?d=identicon&s=25 Giovanni Intini (Guest)
on 2006-04-11 13:29
(Received via mailing list)
I'm writing an app for a blood exam center, where people can go and
check
the results without going physically there. The customers log in the
system
and a pdf download is offered to them. The downloads though will not be
stored in the db but in the filesystem.

How can I allow people to download files only if they're authorised? I
obviously can't store all the files in /public because once someone
figures
the naming scheme they're able to view other customers' data.

Any suggestion?
72054c9048be10443ecb0bb60ca79bdc?d=identicon&s=25 Matthias Wiemann (Guest)
on 2006-04-11 14:12
(Received via mailing list)
You'll need to check if the user is authorized, and then do a send_file.

cheers
mat

  _____

From: rails-bounces@lists.rubyonrails.org
[mailto:rails-bounces@lists.rubyonrails.org] On Behalf Of Giovanni
Intini
Sent: Dienstag, 11. April 2006 13:27
To: Rails@lists.rubyonrails.org
Subject: [Rails] Offering downloads only to registered users


I'm writing an app for a blood exam center, where people can go and
check
the results without going physically there. The customers log in the
system
and a pdf download is offered to them. The downloads though will not be
stored in the db but in the filesystem.

How can I allow people to download files only if they're authorised? I
obviously can't store all the files in /public because once someone
figures
the naming scheme they're able to view other customers' data.

Any suggestion?
30269682335f1fb247d71969fa715b5e?d=identicon&s=25 Roberto Saccon (rsaccon)
on 2006-04-11 14:15
(Received via mailing list)
you have many options: let rails provide the downloads (generally bad
idea,
but very simple to implement), S3 storage API from amazon, or my
preferred
solution: Lighttpd with mod_secdownload.
4b9ddc0a8f597b5145d676a205b1a615?d=identicon&s=25 Giovanni Intini (Guest)
on 2006-04-11 16:55
(Received via mailing list)
2006/4/11, Matthias Wiemann <matthias.wiemann@marketmondiale.com>:
> You'll need to check if the user is authorized, and then do a send_file.

>
I didn't look into send_file, thanks.
4b9ddc0a8f597b5145d676a205b1a615?d=identicon&s=25 Giovanni Intini (Guest)
on 2006-04-11 16:58
(Received via mailing list)
2006/4/11, Roberto Saccon <rsaccon@gmail.com>:
>
> you have many options: let rails provide the downloads (generally bad
> idea, but very simple to implement), S3 storage API from amazon, or my
> preferred solution: Lighttpd with mod_secdownload.
>

Why do you think sending it via rails is a bad idea? And do you have any
pointers to mod_secdownload documentation?
085541f9546d0505433183b5f95bbf62?d=identicon&s=25 Ryan Bates (Guest)
on 2006-04-11 20:24
(Received via mailing list)
On Apr 11, 2006, at 4:27 AM, Giovanni Intini wrote:
>
> How can I allow people to download files only if they're
> authorised? I obviously can't store all the files in /public
> because once someone figures the naming scheme they're able to view
> other customers' data.
>
> Any suggestion?

Although probably not the best way, this worked well for me because I
had literally thousands of different files which needed authorized
access. Each account only had access to a unique subset of those
thousands of files, and some files were larger than 1 GB. I was using
Apache, so I don't know how well this will work with lighttpd. This
is how I did it:

1. Place the secure files into a private directory.
2. When an account needs access to a file, create a public directory
with a unique name (impossible to guess).
3. Create a symbolic link in the new public directory linking to the
file in the private directory.
4. When you want the link to expire, just remove the sym link and/or
public directory.

Of course, this was all scripted so nothing had to be done manually.
If you are just dealing with small files or only one file, there are
definitely better ways to handle this.

Hope that helps.

Ryan
5886e893080c81d28a0cca9fb2068207?d=identicon&s=25 ar ko (kortina)
on 2006-08-22 21:20
Hi,

Does anyone know of a library for ruby on rails to integrate S3 storage
and only allow authorized downloads?  I did a little bit of searching
and found rsh3ll for ruby, but didn't find anyone talking about
integrating this with rails.

I don't know too much about S3, but is it possible to grant one of the
users of my site limited access to download one file, for say a 24hour
period?

If anyone has ideas or links to good articles, please send them my way.
Thanks.


Roberto Saccon wrote:
> you have many options: let rails provide the downloads (generally bad
> idea,
> but very simple to implement), S3 storage API from amazon, or my
> preferred
> solution: Lighttpd with mod_secdownload.
3a4e02eb2500b310bca3178640f3a6bb?d=identicon&s=25 idleFingers (Guest)
on 2006-08-28 15:46
(Received via mailing list)
Hi,

There's a ruby library available at the aws site:
http://developer.amazonwebservices.com/connect/ent...

and check this out, too: http://townx.org/blog/elliot/s3_rails

Hope this helps,
Damien
This topic is locked and can not be replied to.