Hi, I was wondering what would be the best practices to handle a file managing system that needs to restrict files to users according to their authentication. If I were to put all uploaded files in /public/files one can always get the url from someone else and still be able to download the file, so I don''t really like that method. I would prefer a before_filter approach, but there is no such thing when talking about /public Any ideas? Roland -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
try loginGenerator and use another folder to upload the files? i also would like do what you are doing. i believe you can just look at session and if its valid, allow them access to a folder. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
mixplate wrote:> try loginGenerator and use another folder to upload the files? > > i also would like do what you are doing. > > i believe you can just look at session and if its valid, allow them > access to a folder.The authentication portion is not a problem here, however, I prefer the login/user engine. As you say that''s the logic but actually implementing, it''s what''s bugging me. Routing to files is done differently than routing to functions. Here are the options I am considering but with little promise: 1. Place permissions on files and change permissions to read/write when an authenticated user tried to access the file. Drawback: When do you change back the permissions? Time to transfer is vulnerability time. 2. Storing the files in a database. Drawback: Space issues may affect database performance. I am sure there has been some RoR project such as a music store or ebook store that allowed you to download files from, but have not found a method online yet. Thanks for contributing, Roland -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Serving up a file download is really just sending the data of that file in encoded format with the appropriate headers, right? So, conceivably, you could store the files in an inaccessible folder, and when someone wants a download, your application checks security, then opens and reads a file from the inaccessible folder, then encodes and passes the data back to the requesting user with the appropriate header information for it to be recived as a file download. No one else can use that link because it is security-checked against the user. Just a thought - I have no idea what kind of performance issues this might introduce into your application. Keep in mind also, this prevents someone from passing the link to a friend, but there''s no way you can keep them from just downloading the file and sending that to their friend. You haven''t really made the process of sharing a downloaded file that much more difficult. So, the question would be do you really want to devote all this effort to what is, at best, a thin veil of protection? c. Roland Mai wrote:> mixplate wrote: >> try loginGenerator and use another folder to upload the files? >> >> i also would like do what you are doing. >> >> i believe you can just look at session and if its valid, allow them >> access to a folder. > > > The authentication portion is not a problem here, however, I prefer the > login/user engine. > > As you say that''s the logic but actually implementing, it''s what''s > bugging me. Routing to files is done differently than routing to > functions. > Here are the options I am considering but with little promise: > > 1. Place permissions on files and change permissions to read/write when > an authenticated user tried to access the file. Drawback: When do you > change back the permissions? Time to transfer is vulnerability time. > > 2. Storing the files in a database. Drawback: Space issues may affect > database performance. > > I am sure there has been some RoR project such as a music store or > ebook store that allowed you to download files from, but have not found > a method online yet. > > Thanks for contributing, > > Roland-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---