Hi Guys, Does anyone know how to restrict access on files that you upload in file column to certain users only? I notice that files being saved by the file_column by default are being saved under the public folder and can be accessed just by typing the URL directly. Let's say you have a Login system where you restrict access to some pages and allow those users to upload their own files, I also want those files to be secured and only allow users who uploaded those files to be able to access it. Thanks. Regards, Dons
on 2006-05-31 09:34
on 2006-05-31 12:30
Does anyone have an idea how to do this or if it's possible? Aside from this one the only thing I could think of to secure the data is storing the files to the database which I'm trying to avoid.
on 2006-05-31 18:08
I'm doing something similar. When you upload a file, associate the user who did the upload with the file. Then when someone tries to access a file, run a before filter on the action that allows people to access a file. In the before filter check if the person trying to access the file is the same person who uploaded the file. -Steven
on 2006-05-31 18:27
That would only provide true protection if the images were stored in the database - something Donald is trying to avoid. This is a problem that has trouble many a web developer over the years. A common method is to run all of your images via script that redirects to the image: <img src="/myimagecontroller/view/imagename.jpg"/> ... class ImageController < ApplicationController def view redirect_to('/images/'+params[:image]) end end ... (Note: i have no idea whether the above would work - it should demonstrate the idea though) In that case you apply the before_filter as usual. However, this still would protect the images fully as you could still manually type the address in. That would require guesswork of course and if you kept the image names/dirs as numbers mapping to filenames in the db (1234 => 'imagename.jpg') it should be reasonably secure. If you need things to be more secure than that, you could store the images in a non-web accessible dir and open the images server side to push to the browser - that'd probably incur a fairly big processing hit though :0) I don't know whether you could use htaccess to deny or allow directories based cookies or something - in which case you could set a value that apache picks up when the file is requested. Anyway - a lot of that is rambling but hopefully some of it is useful :0) Steve
on 2006-05-31 19:34
I think my situation is a bit different as I am not displaying files, but allowing people to download them. I've put the directory that stores the images below the web root and since the downloads are one offs, opening the file server side isn't really a problem. I'm probably talking out of my %$^#&*, but what if you used AJAX? For each image you want to display, make an Ajax call to the relevant controller::action. Yes this would be slower than having the webserver send the image without getting ruby involved, but might it be fast enough? -Steven
on 2006-05-31 19:56
What I did is put it in a directory not accessible to the web server, and serve it with send_file. Still beats storing it in the DB. But for publicly accessible files I also did a special rewrite on lighty (a similar thing could be done with apache) to point to symlinks into the private area. This way public files can be accessed without Rails interaction, but private files still go through rails with all the security. I described what I did (it's a bit different now and I can help you get it going if you need to) so you can see how to do it on your system: http://devblog.famundo.com/articles/2006/03/22/sma... Bye, Guy.
on 2006-05-31 22:33
> Does anyone know how to restrict access on files that you upload in file > column to certain users only? I notice that files being saved by the > file_column by default are being saved under the public folder and can > be accessed just by typing the URL directly. Let's say you have a Login > system where you restrict access to some pages and allow those users to > upload their own files, I also want those files to be secured and only > allow users who uploaded those files to be able to access it. In my branch of file_column (http://svn.kylemaxwell.com/file_column/), i use a salted SHA1 hash of the primary key for the image storage folder. It's not truly secure, per se, but you can't guess the file name. -- Kyle Maxwell Chief Technologist E Factor Media // FN Interactive firstname.lastname@example.org 1-866-263-3261