I''ve been experimenting with the acts_as_attachment plugin and I''ve been pretty happy with it except for one thing. By default AAA puts the attached files into ''public/files'', which is generally world readable. It is possible to bypass any security and download files directly from that directory if you know the filename. For my particular needs, I need to ensure that specific files are only downloaded by authenticated users. Preferably only those with sufficient permission to access a particular file. Does anyone have any suggestions for ways to secure uploaded files? _Kevin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Another example of solving the problem minutes after posting about it.
Pretty easy too.
acts_as_attachment :file_system_path => ''attachments''
will store the attachments outside of the public directory, so the web
server won''t deliver it.
Then all you need is an action in a controller like this..
def download
@attachment = Attachment.find(params[:id])
send_file "#{@attachment.public_filename}"
end
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---
On 8/31/06, _Kevin <kevin.olbrich-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Another example of solving the problem minutes after posting about it. > > Pretty easy too. > > acts_as_attachment :file_system_path => ''attachments'' > > will store the attachments outside of the public directory, so the web > server won''t deliver it. > > Then all you need is an action in a controller like this.. > > def download > @attachment = Attachment.find(params[:id]) > send_file "#{@attachment.public_filename}" > endIf you need a more custom path, you can override full_filename. Just look at the how the plugin does it and tweak it to serve your needs. -- Rick Olson http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Actually, the method I posted works pretty well, so I see no reason to change that. I did run into one problem tho... when trying to get it to create thumbnails I keep getting errors about a method called ''find_or_initialize_by.....''. If I''m not mistaken, that method only appears in edge rails right now, and that causes the acts_as_attachment thumbnailing to fail on any of the standard rails releases. _Kevin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---