Forum: Ruby on Rails Restricting access to files uploaded by file_column

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
13a6fc5c44f7b3335ef22b8f6111acee?d=identicon&s=25 Donald Nakar (donsdgr81)
on 2006-05-31 09:34
Hi Guys,

Does anyone know how to restrict access on files that you upload in file
column to certain users only? I notice that files being saved by the
file_column by default are being saved under the public folder and can
be accessed just by typing the URL directly. Let's say you have a Login
system where you restrict access to some pages and allow those users to
upload their own files, I also want those files to be secured and only
allow users who uploaded those files to be able to access it.

Thanks.

Regards,
Dons
13a6fc5c44f7b3335ef22b8f6111acee?d=identicon&s=25 Donald Nakar (donsdgr81)
on 2006-05-31 12:30
Does anyone have an idea how to do this or if it's possible? Aside from
this one the only thing I could think of to secure the data is storing
the files to the database which I'm trying to avoid.
4034df6027cbecf3f4a19a711a248536?d=identicon&s=25 Steven Hansen (rooster)
on 2006-05-31 18:08
(Received via mailing list)
I'm doing something similar.  When you upload a file, associate the user
who did the upload with the file.

Then when someone tries to access a file, run a before filter on the
action that allows people to access a file.
In the before filter check if the person trying to access the file is
the same person who uploaded the file.

-Steven
882cc23c77c5c6d27613c51396a02a0d?d=identicon&s=25 Stephen Bartholomew (Guest)
on 2006-05-31 18:27
(Received via mailing list)
That would only provide true protection if the images were stored in the
database - something Donald is trying to avoid.

This is a problem that has trouble many a web developer over the years.
  A common method is to run all of your images via script that redirects
to the image:

<img src="/myimagecontroller/view/imagename.jpg"/>
...
class ImageController < ApplicationController
   def view
     redirect_to('/images/'+params[:image])
   end
end
...
(Note: i have no idea whether the above would work - it should
demonstrate the idea though)

In that case you apply the before_filter as usual.  However, this still
would protect the images fully as you could still manually type the
address in. That would require guesswork of course and if you kept the
image names/dirs as numbers mapping to filenames in the db (1234 =>
'imagename.jpg') it should be reasonably secure.

If you need things to be more secure than that, you could store the
images in a non-web accessible dir and open the images server side to
push to the browser - that'd probably incur a fairly big processing hit
though :0)

I don't know whether you could use htaccess to deny or allow directories
based cookies or something - in which case you could set a value that
apache picks up when the file is requested.

Anyway - a lot of that is rambling but hopefully some of it is useful
:0)

Steve
4034df6027cbecf3f4a19a711a248536?d=identicon&s=25 Steven Hansen (rooster)
on 2006-05-31 19:34
(Received via mailing list)
I think my situation is a bit different as I am not displaying files,
but allowing people to download them.
I've put the directory that stores the images below the web root and
since the downloads are one offs, opening
the file server side isn't really a problem.

I'm probably talking out of my %$^#&*, but what if you used AJAX?  For
each image you want to display, make an
Ajax call to the relevant controller::action.  Yes this would be slower
than having the webserver send the image without
getting ruby involved, but might it be fast enough?

-Steven
Cbff7ea94c9b2c4d5f7cfefd25be9ae2?d=identicon&s=25 Just Someone (Guest)
on 2006-05-31 19:56
(Received via mailing list)
What I did is put it in a directory not accessible to the web server,
and serve it with send_file. Still beats storing it in the DB. But for
publicly accessible files I also did a special rewrite on lighty (a
similar thing could be done with apache) to point to symlinks into the
private area.

This way public files can be accessed without Rails interaction, but
private files still go through rails with all the security.

I described what I did (it's a bit different now and I can help you
get it going if you need to) so you can see how to do it on your
system:

http://devblog.famundo.com/articles/2006/03/22/sma...

Bye,

Guy.
4bd34a2216dc8bdbf1f017f64e4d59e8?d=identicon&s=25 Kyle Maxwell (Guest)
on 2006-05-31 22:33
(Received via mailing list)
> Does anyone know how to restrict access on files that you upload in file
> column to certain users only? I notice that files being saved by the
> file_column by default are being saved under the public folder and can
> be accessed just by typing the URL directly. Let's say you have a Login
> system where you restrict access to some pages and allow those users to
> upload their own files, I also want those files to be secured and only
> allow users who uploaded those files to be able to access it.

In my branch of file_column (http://svn.kylemaxwell.com/file_column/),
i use a salted SHA1 hash of the primary key for the image storage
folder.  It's not truly secure, per se, but you can't guess the file
name.

--
Kyle Maxwell
Chief Technologist
E Factor Media // FN Interactive
kyle@efactormedia.com
1-866-263-3261
This topic is locked and can not be replied to.