>
> A second question concerning good ROR practices - where in
> the ROR directory structure should I put documents (such as
> test.pdf) that I wish user to have access to? Since these are
> restricted documents, I''m concerned about having them in the
> public folder.
>
You can put them anywhere but public. Anything in public bypasses rails
and is served directly by the web server. Anyone that knows the URL has
access to the information. I historically have created a sibling
directory to public called protected, and I place my protected documents
there. I then use a route like so:
config/routes.rb
# Static content control
map.connect ''/protected/*path'', :controller =>
''protected'', :action =>
''render_static''
So that rails will be invoked and call the render_static action on any
attempted access to data in this folder tree. Then, things get a bit
messy. First, you must determine if the requester is authorized to the
material. Then, if the material is an html file, you need to render it
using the ''render'' method, otherwise, you need to compute the
mimetype
of the file and use the ''send_file'' method to send it. An
exercise, as
they say, for the reader.
app/controllers/protected_controller.rb
def render_static(mimetype="", disposition="inline")
requested_file = params[:path].to_s
# render or send_file, as you please
end
You probably want to make sure that no one can initiate a directory
traversal attack, via some magic like ''../../../etc/passwd''
and such
too. I''m not sure if rails protects you from such things or not.
Lastly, if the requested data is not on file, or not authorized, you may
wish to render /public/404.html or similar.
HTH
Regards,
Rich
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---