My RoR site will offer a software product with a freebie reduced functionality version and a for sale version. I''ve done the store site except for the downloading and credit card processing. For the latter I''ve investigated and made some choices. But to support downloading the product, what are the best practices? Are there code snippets available? Is it better to do this with a ''secret url'' or what? I''m a newbie at this particular thing. If you have a sense of security or other trade-offs, I''d much appreciate your input. thanks so much. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
minka wrote:> But to support downloading the product, what are the best practices? > Are there code snippets available? Is it better to do this with a > ''secret url'' or what? I''m a newbie at this particular thing.Security through obscurity is barely any security at all. 1) Put the file to download in a directory that your rails scripts can read from the filesystem, but that the user cannot request as a URL. 2) Have the user request a file that is a ruby script 3) Have that script see if the user is allowed to download the file. If so, the script reads the file from the disk and streams it out to the user (setting HTTP headers as appropriate for the file type and name). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Hello, On 30 Oct 2006, at 20:07, minka wrote:> But to support downloading the product, what are the best practices? > Are there code snippets available? Is it better to do this with a > ''secret url'' > or what? I''m a newbie at this particular thing. > If you have a sense of security or other trade-offs, I''d much > appreciate your > input. thanks so much.I''m not sure about best practices here, but this simple approach works: 1. Store your product somewhere on the file system where it can''t be reached from a URL, i.e. outside the public/ directory. 2. Write an action in your controller which uses send_file [1] to send your product to the browser. You can add in any other behaviour you like in this action such as counting the number of downloads, only sending the file if it''s Tuesday and the caller''s IP address is an even number, etc. Hope that helps, Andy Stewart [1] http://api.rubyonrails.org/classes/ActionController/ Streaming.html#M000072 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---