Forum: Ruby on Rails How to restrict access to images by user?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
C29d9db03853958c4de5ee6b06edd39a?d=identicon&s=25 Nicolas Buet (Guest)
on 2006-04-20 09:18
(Received via mailing list)
Hi,

I have a some image files that belongs to some users. Only the owner of
an
image should be able to see  it.
How can I do that?
I don't think I can use send_data, because I want the image to be
displayed
on a "rendered" page. I don't think I can place the images in the public
folder, because if some user can figure out the name of the image then
he'll
be able to see it... what is the correct way to handle this?

Regards,

Nicolas
30269682335f1fb247d71969fa715b5e?d=identicon&s=25 Roberto Saccon (rsaccon)
on 2006-04-20 09:21
(Received via mailing list)
Take a look at mod_secdownload if you use lighttpd.
59ea1b450935b9d70abfec4186b7a4d5?d=identicon&s=25 Jeff Coleman (progressions)
on 2006-04-20 09:34
Nicolas Buet wrote:
> Hi,
>
> I have a some image files that belongs to some users. Only the owner of
> an
> image should be able to see  it.
> How can I do that?
> I don't think I can use send_data, because I want the image to be
> displayed
> on a "rendered" page. I don't think I can place the images in the public
> folder, because if some user can figure out the name of the image then
> he'll
> be able to see it... what is the correct way to handle this?
>
> Regards,
>
> Nicolas

You could use file_column and store the image file information in the
database--they'd still live in your file system, but they'd be available
as an ActiveRecord model which you could filter and display however you
needed.

Jeff Coleman
A57dbd9d858a6995b9ca4110d871a256?d=identicon&s=25 Henry Maddocks (Guest)
on 2006-04-20 09:46
(Received via mailing list)
On 20/04/2006, at 7:15 PM, Nicolas Buet wrote:

> I don't think I can use send_data, because I want the image to be
> displayed on a "rendered" page.

def inline_image
     image = Image.find(params[:id])

     if image.nil?
         redirect_to '/404.html' and return
     end

     if authorised_to_view?(session[:user], image)
         send_data image.data, :filename => image.file_name, :type =>
image.mime_type, :disposition => 'inline'
     else
         redirect_to :controller => 'images', :action => 'list' and
return
     end
end
This topic is locked and can not be replied to.