I''m writing an app for a blood exam center, where people can go and check the results without going physically there. The customers log in the system and a pdf download is offered to them. The downloads though will not be stored in the db but in the filesystem. How can I allow people to download files only if they''re authorised? I obviously can''t store all the files in /public because once someone figures the naming scheme they''re able to view other customers'' data. Any suggestion? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060411/b4a85bf8/attachment.html
Matthias Wiemann
2006-Apr-11 12:09 UTC
[Rails] Offering downloads only to registered users
You''ll need to check if the user is authorized, and then do a send_file. cheers mat _____ From: rails-bounces@lists.rubyonrails.org [mailto:rails-bounces@lists.rubyonrails.org] On Behalf Of Giovanni Intini Sent: Dienstag, 11. April 2006 13:27 To: Rails@lists.rubyonrails.org Subject: [Rails] Offering downloads only to registered users I''m writing an app for a blood exam center, where people can go and check the results without going physically there. The customers log in the system and a pdf download is offered to them. The downloads though will not be stored in the db but in the filesystem. How can I allow people to download files only if they''re authorised? I obviously can''t store all the files in /public because once someone figures the naming scheme they''re able to view other customers'' data. Any suggestion? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060411/373db449/attachment.html
you have many options: let rails provide the downloads (generally bad idea, but very simple to implement), S3 storage API from amazon, or my preferred solution: Lighttpd with mod_secdownload. On 4/11/06, Giovanni Intini <intinig@gmail.com> wrote:> > I''m writing an app for a blood exam center, where people can go and check > the results without going physically there. The customers log in the system > and a pdf download is offered to them. The downloads though will not be > stored in the db but in the filesystem. > > How can I allow people to download files only if they''re authorised? I > obviously can''t store all the files in /public because once someone figures > the naming scheme they''re able to view other customers'' data. > > Any suggestion? > > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > >-- Roberto Saccon - http://rsaccon.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060411/97aac1d8/attachment.html
2006/4/11, Matthias Wiemann <matthias.wiemann@marketmondiale.com>:> You''ll need to check if the user is authorized, and then do a send_file.>I didn''t look into send_file, thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060411/295837c8/attachment.html
2006/4/11, Roberto Saccon <rsaccon@gmail.com>:> > you have many options: let rails provide the downloads (generally bad > idea, but very simple to implement), S3 storage API from amazon, or my > preferred solution: Lighttpd with mod_secdownload. >Why do you think sending it via rails is a bad idea? And do you have any pointers to mod_secdownload documentation? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060411/4514db3c/attachment.html
On Apr 11, 2006, at 4:27 AM, Giovanni Intini wrote:> > How can I allow people to download files only if they''re > authorised? I obviously can''t store all the files in /public > because once someone figures the naming scheme they''re able to view > other customers'' data. > > Any suggestion?Although probably not the best way, this worked well for me because I had literally thousands of different files which needed authorized access. Each account only had access to a unique subset of those thousands of files, and some files were larger than 1 GB. I was using Apache, so I don''t know how well this will work with lighttpd. This is how I did it: 1. Place the secure files into a private directory. 2. When an account needs access to a file, create a public directory with a unique name (impossible to guess). 3. Create a symbolic link in the new public directory linking to the file in the private directory. 4. When you want the link to expire, just remove the sym link and/or public directory. Of course, this was all scripted so nothing had to be done manually. If you are just dealing with small files or only one file, there are definitely better ways to handle this. Hope that helps. Ryan
Andrew Kortina
2006-Aug-22 19:20 UTC
[Rails] Re: Offering downloads only to registered users
Hi, Does anyone know of a library for ruby on rails to integrate S3 storage and only allow authorized downloads? I did a little bit of searching and found rsh3ll for ruby, but didn''t find anyone talking about integrating this with rails. I don''t know too much about S3, but is it possible to grant one of the users of my site limited access to download one file, for say a 24hour period? If anyone has ideas or links to good articles, please send them my way. Thanks. Roberto Saccon wrote:> you have many options: let rails provide the downloads (generally bad > idea, > but very simple to implement), S3 storage API from amazon, or my > preferred > solution: Lighttpd with mod_secdownload.-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Hi, There''s a ruby library available at the aws site: http://developer.amazonwebservices.com/connect/entry.jspa?externalID=135&categoryID=47 and check this out, too: http://townx.org/blog/elliot/s3_rails Hope this helps, Damien --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---