Rails - May 2006 - Restricting access to files uploaded by file_column

Hi Guys,

Does anyone know how to restrict access on files that you upload in file 
column to certain users only? I notice that files being saved by the 
file_column by default are being saved under the public folder and can 
be accessed just by typing the URL directly. Let''s say you have a Login
system where you restrict access to some pages and allow those users to 
upload their own files, I also want those files to be secured and only 
allow users who uploaded those files to be able to access it.

Thanks.

Regards,
Dons

-- 
Posted via http://www.ruby-forum.com/.

Does anyone have an idea how to do this or if it''s possible? Aside from
this one the only thing I could think of to secure the data is storing 
the files to the database which I''m trying to avoid.

-- 
Posted via http://www.ruby-forum.com/.

I''m doing something similar.  When you upload a file, associate the
user
who did the upload with the file.

Then when someone tries to access a file, run a before filter on the 
action that allows people to access a file.
In the before filter check if the person trying to access the file is 
the same person who uploaded the file.

-Steven


Donald Nakar wrote:
> Does anyone have an idea how to do this or if it''s possible? Aside
from
> this one the only thing I could think of to secure the data is storing 
> the files to the database which I''m trying to avoid.
>
>

That would only provide true protection if the images were stored in the 
database - something Donald is trying to avoid.

This is a problem that has trouble many a web developer over the years. 
  A common method is to run all of your images via script that redirects 
to the image:

<img src="/myimagecontroller/view/imagename.jpg"/>
...
class ImageController < ApplicationController
   def view
     redirect_to(''/images/''+params[:image])
   end
end
...
(Note: i have no idea whether the above would work - it should 
demonstrate the idea though)

In that case you apply the before_filter as usual.  However, this still 
would protect the images fully as you could still manually type the 
address in. That would require guesswork of course and if you kept the 
image names/dirs as numbers mapping to filenames in the db (1234 => 
''imagename.jpg'') it should be reasonably secure.

If you need things to be more secure than that, you could store the 
images in a non-web accessible dir and open the images server side to 
push to the browser - that''d probably incur a fairly big processing hit
though :0)

I don''t know whether you could use htaccess to deny or allow
directories
based cookies or something - in which case you could set a value that 
apache picks up when the file is requested.

Anyway - a lot of that is rambling but hopefully some of it is useful :0)

Steve




Steven Hansen wrote:
> 
> I''m doing something similar.  When you upload a file, associate
the user
> who did the upload with the file.
> 
> Then when someone tries to access a file, run a before filter on the 
> action that allows people to access a file.
> In the before filter check if the person trying to access the file is 
> the same person who uploaded the file.
> 
> -Steven
> 
> 
> Donald Nakar wrote:
> 
>> Does anyone have an idea how to do this or if it''s possible?
Aside
>> from this one the only thing I could think of to secure the data is 
>> storing the files to the database which I''m trying to avoid.
>>
>>   
> 
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 
> 
>

I think my situation is a bit different as I am not displaying files, 
but allowing people to download them.
I''ve put the directory that stores the images below the web root and 
since the downloads are one offs, opening
the file server side isn''t really a problem.

I''m probably talking out of my %$^#&*, but what if you used AJAX? 
For
each image you want to display, make an
Ajax call to the relevant controller::action.  Yes this would be slower 
than having the webserver send the image without
getting ruby involved, but might it be fast enough?

-Steven


Stephen Bartholomew wrote:
> That would only provide true protection if the images were stored in 
> the database - something Donald is trying to avoid.
>
> This is a problem that has trouble many a web developer over the 
> years.  A common method is to run all of your images via script that 
> redirects to the image:
>
> <img src="/myimagecontroller/view/imagename.jpg"/>
> ...
> class ImageController < ApplicationController
>   def view
>     redirect_to(''/images/''+params[:image])
>   end
> end
> ...
> (Note: i have no idea whether the above would work - it should 
> demonstrate the idea though)
>
> In that case you apply the before_filter as usual.  However, this 
> still would protect the images fully as you could still manually type 
> the address in. That would require guesswork of course and if you kept 
> the image names/dirs as numbers mapping to filenames in the db (1234 
> => ''imagename.jpg'') it should be reasonably secure.
>
> If you need things to be more secure than that, you could store the 
> images in a non-web accessible dir and open the images server side to 
> push to the browser - that''d probably incur a fairly big
processing
> hit though :0)
>
> I don''t know whether you could use htaccess to deny or allow 
> directories based cookies or something - in which case you could set a 
> value that apache picks up when the file is requested.
>
> Anyway - a lot of that is rambling but hopefully some of it is useful :0)
>
> Steve
>
>
>
>
> Steven Hansen wrote:
>>
>> I''m doing something similar.  When you upload a file,
associate the
>> user who did the upload with the file.
>>
>> Then when someone tries to access a file, run a before filter on the 
>> action that allows people to access a file.
>> In the before filter check if the person trying to access the file is 
>> the same person who uploaded the file.
>>
>> -Steven
>>
>>
>> Donald Nakar wrote:
>>
>>> Does anyone have an idea how to do this or if it''s
possible? Aside
>>> from this one the only thing I could think of to secure the data is
>>> storing the files to the database which I''m trying to
avoid.
>>>
>>>   
>>
>> _______________________________________________
>> Rails mailing list
>> Rails@lists.rubyonrails.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>
>>
>>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

What I did is put it in a directory not accessible to the web server,
and serve it with send_file. Still beats storing it in the DB. But for
publicly accessible files I also did a special rewrite on lighty (a
similar thing could be done with apache) to point to symlinks into the
private area.

This way public files can be accessed without Rails interaction, but
private files still go through rails with all the security.

I described what I did (it''s a bit different now and I can help you
get it going if you need to) so you can see how to do it on your
system:

http://devblog.famundo.com/articles/2006/03/22/smart-caching-and-mod_rewrite-black-magic

Bye,

Guy.

On 5/31/06, Donald Nakar <donsdgr81@gmail.com>
wrote:
> Does anyone have an idea how to do this or if it''s possible? Aside
from
> this one the only thing I could think of to secure the data is storing
> the files to the database which I''m trying to avoid.
>
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

-- 
Family management on rails: http://www.famundo.com - coming soon!
My development related blog: http://devblog.famundo.com

> Does anyone know how to restrict access on files that you upload in file
> column to certain users only? I notice that files being saved by the
> file_column by default are being saved under the public folder and can
> be accessed just by typing the URL directly. Let''s say you have a
Login
> system where you restrict access to some pages and allow those users to
> upload their own files, I also want those files to be secured and only
> allow users who uploaded those files to be able to access it.
In my branch of file_column (http://svn.kylemaxwell.com/file_column/),
i use a salted SHA1 hash of the primary key for the image storage
folder.  It''s not truly secure, per se, but you can''t guess
the file
name.

-- 
Kyle Maxwell
Chief Technologist
E Factor Media // FN Interactive
kyle@efactormedia.com
1-866-263-3261