Hey guys, So I''m building a Rails 3 app and one of the major things it needs to do is let users upload photos into their own photo albums. That part in and of itself isn''t a problem; where I''m a bit short on knowledge is the proper way to *secure* that information. Say we have 3 users: a, b, c. A and B are friends, C doesn''t know either one of them. A uploads photos into his/her album, which is marked to be viewed by "friends only", so B can see those photos, but not C. However, what''s to stop B from grabbing the URL to the photo of A and then sending it to C over iChat or something? C gets the image pulled up without even so much as a login. I might be going a bit overkill here, but with all the recent discussion in the technology industry about individual privacy, I want to make sure this problem gets solved RIGHT. The only way I know to do this off the top of my head is to set the image source as a Ruby script itself, and have that script (or method in a controller) do the checks, then if they''re good, retrieve the image and then send the raw image data down. I''ve done that with PHP before, but truth be told, I don''t like it because it seems rather inefficient. Is there a good way to do this, or is it generally acceptable that, while my app won''t show C any photos of A, those photos aren''t *actually* protected from a raw GET request, if somebody knew where to look? Thanks :-) -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Mar 13, 12:47 pm, Phoenix Rising <polarisris...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> However, what''s to stop B from grabbing the URL to the photo of A and > then sending it to C over iChat or something? C gets the image pulled > up without even so much as a login. > > I might be going a bit overkill here, but with all the recent > discussion in the technology industry about individual privacy, I want > to make sure this problem gets solved RIGHT. The only way I know to > do this off the top of my head is to set the image source as a Ruby > script itself, and have that script (or method in a controller) do the > checks, then if they''re good, retrieve the image and then send the raw > image data down. I''ve done that with PHP before, but truth be told, I > don''t like it because it seems rather inefficient.Doesn''t have to be inefficient with something like X-SendFile. None of this would stop B just sending the file to C though. Fred> > Is there a good way to do this, or is it generally acceptable that, > while my app won''t show C any photos of A, those photos aren''t > *actually* protected from a raw GET request, if somebody knew where to > look? > > Thanks :-)-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Curtis j Schofield
2011-Mar-13 16:54 UTC
Re: How should I properly secure uploaded photos?
On Sun, Mar 13, 2011 at 5:47 AM, Phoenix Rising <polarisrising-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:> Hey guys, > > So I''m building a Rails 3 app and one of the major things it needs to > do is let users upload photos into their own photo albums. That part > in and of itself isn''t a problem; where I''m a bit short on knowledge > is the proper way to *secure* that information. > > Say we have 3 users: a, b, c. A and B are friends, C doesn''t know > either one of them. A uploads photos into his/her album, which is > marked to be viewed by "friends only", so B can see those photos, but > not C. > > However, what''s to stop B from grabbing the URL to the photo of A and > then sending it to C over iChat or something? C gets the image pulled > up without even so much as a login. > >Write a rails controller that handles sending images and has auth on it, or a metal controller that sends the images and checks an expiration stamp, associated with the url. You may have better things to learn or do, before you solve this properly - as Fred said - the file can get saved, sent or anything once it is out of your system. -- make haste slowly \ festina lente \ - mobile +1_415_632_6001 curtis.schofield-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <curtis-DDU1nqEjlGkHaT8GDLgCUg@public.gmane.org> http://robotarmyma.de -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Robert Pankowecki (rupert)
2011-Mar-13 18:36 UTC
Re: How should I properly secure uploaded photos?
It''s easy to use google when you know what to look for: "X-SendFile". http://www.therailsway.com/2009/2/22/file-downloads-done-right Thanks Frederick for the info Robert Pankowecki -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.