Rails - Feb 2008 - How to control access to resourses (pictures and files) inside application?

I''m writing an application that will have lots of images and files
that should be accessed only by authorized people. Where should I put
this files inside the directory tree to avoid users typing the direct
path to the file and getting it without being logged to the
application?

Thank you!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hello,

Check out my reply to another question:
http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/166febb118641065/687b918da8146023

The idea is that you put you files outside of the public area (so no
one can type the URL), then you program a header rewrite so that your
web server (Apache, Nginx, .etc) serves the file after you''ve
authorized that request.  Since it''s a rewrite, the real name of a
file can be "X23456.jpg" but served as
"cassiommc_requested_image.jpg"

Avoid sendfile if your using Mongrel to serve your Rails appplication,
and plow through the above header programming above.

Good luck,
Jim
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

hi,
ive been researching this and i found the x send file and 
x-accel-redirect for nginx. they can be used for downloads, however, can 
these be used to render images to a view?

thanks for any help!





JimCifarelli wrote:
> Hello,
> 
> Check out my reply to another question:
>
http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/166febb118641065/687b918da8146023
> 
> The idea is that you put you files outside of the public area (so no
> one can type the URL), then you program a header rewrite so that your
> web server (Apache, Nginx, .etc) serves the file after you''ve
> authorized that request.  Since it''s a rewrite, the real name of a
> file can be "X23456.jpg" but served as
"cassiommc_requested_image.jpg"
> 
> Avoid sendfile if your using Mongrel to serve your Rails appplication,
> and plow through the above header programming above.
> 
> Good luck,
> Jim
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks for your reply!

but, can this work to serve the images to the view? thatś what I''ll
really nedd, I think I didn''t expressed myself well..

thank you!

On Feb 16, 1:04 pm, JimCifarelli
<cifare...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hello,
>
> Check out my reply to another
question:http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/...
>
> The idea is that you put you files outside of the public area (so no
> one can type the URL), then you program a header rewrite so that your
> web server (Apache, Nginx, .etc) serves the file after you''ve
> authorized that request.  Since it''s a rewrite, the real name of a
> file can be "X23456.jpg" but served as
"cassiommc_requested_image.jpg"
>
> Avoid sendfile if your using Mongrel to serve your Rails appplication,
> and plow through the above header programming above.
>
> Good luck,
> Jim
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

i can render the view using send_data but its really slow and not 
recommended. if youfind the answer, please post back here!

cassiommc-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
> Thanks for your reply!
> 
> but, can this work to serve the images to the view? that� what
I''ll
> really nedd, I think I didn''t expressed myself well..
> 
> thank you!
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

JimCifarelli [2008-02-16 17:04]:
> The idea is that you put you files outside of the public area (so
> no one can type the URL), then you program a header rewrite so
> that your web server (Apache, Nginx, .etc) serves the file after
> you''ve authorized that request.
i didn''t follow the whole thread, but here''s what
we''re doing
(soon): let the web server (apache) serve the content as usual and
protect it from unauthorized access with the Apache Secure Download
module [1]. it works by only allowing requests that have the correct
token, which is computed from the resources'' path, a timestamp, and
a *secret* string that is shared between the web server and the
application providing access to the resources.

so instead of putting /path/to/image.jpg into the view, you have
/path/to/image.jpg?timestamp=<timestamp>&token=<token>, where
timestamp = 1.minute.from_now (e.g.), and token Digest::SHA1.hexdigest(secret +
''/path/to/image.jpg'' + timestamp).
thus only someone who knows your secret string gets access to that
image.

Apache Secure Download was inspired by Mongrel Secure Download [2],
a mongrel handler by josh ferguson.

[1] <http://prometheus.rubyforge.org/apache_secure_download/>
[2] <http://rubyforge.org/projects/msecuredownload/>
[3] <http://prometheus.rubyforge.org/mongrel_secure_download-redux/>

cheers
jens

-- 
Jens Wille, Dipl.-Bibl. (FH)
prometheus - Das verteilte digitale Bildarchiv für Forschung & Lehre
Kunsthistorisches Institut der Universität zu Köln
Albertus-Magnus-Platz, D-50923 Köln
Tel.: +49 (0)221 470-6668, E-Mail:
jens.wille-31N1O1AsgN5n68oJJulU0Q@public.gmane.org
http://www.prometheus-bildarchiv.de/

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

hello Jens, Thank you for the reply, however, im still a bit confused.

the web server, say apache will be the one responsible for serving 
images. so after i authenticate a user and check if the user has 
permission to view a certain view, the view action will be called with a 
url that contains timestamp, secret string, etc..which apache will 
compute to see whether or not to serve the images?

What is the purpose of the timestamp?

thanks

Jens Wille wrote:
> JimCifarelli [2008-02-16 17:04]:
>> The idea is that you put you files outside of the public area (so
>> no one can type the URL), then you program a header rewrite so
>> that your web server (Apache, Nginx, .etc) serves the file after
>> you''ve authorized that request.
> i didn''t follow the whole thread, but here''s what
we''re doing
> (soon): let the web server (apache) serve the content as usual and
> protect it from unauthorized access with the Apache Secure Download
> module [1]. it works by only allowing requests that have the correct
> token, which is computed from the resources'' path, a timestamp,
and
> a *secret* string that is shared between the web server and the
> application providing access to the resources.
> 
> so instead of putting /path/to/image.jpg into the view, you have
> /path/to/image.jpg?timestamp=<timestamp>&token=<token>,
where
> timestamp = 1.minute.from_now (e.g.), and token >
Digest::SHA1.hexdigest(secret + ''/path/to/image.jpg'' +
timestamp).
> thus only someone who knows your secret string gets access to that
> image.
> 
> Apache Secure Download was inspired by Mongrel Secure Download [2],
> a mongrel handler by josh ferguson.
> 
> [1] <http://prometheus.rubyforge.org/apache_secure_download/>
> [2] <http://rubyforge.org/projects/msecuredownload/>
> [3] <http://prometheus.rubyforge.org/mongrel_secure_download-redux/>
> 
> cheers
> jens
> 
> --
> Jens Wille, Dipl.-Bibl. (FH)
> prometheus - Das verteilte digitale Bildarchiv f?schung & Lehre
> Kunsthistorisches Institut der Universit䴠zu 
> K?lbertus-Magnus-Platz, D-50923 
> K?el.: +49 (0)221 470-6668, E-Mail:
jens.wille-31N1O1AsgN5n68oJJulU0Q@public.gmane.org
> http://www.prometheus-bildarchiv.de/
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

hi koloa!

Koloa Poipu [2008-02-27 18:20]:
> the web server, say apache will be the one responsible for
> serving images. so after i authenticate a user and check if the
> user has permission to view a certain view, the view action will
> be called with a url that contains timestamp, secret string,
> etc..which apache will compute to see whether or not to serve the
> images?
exactly. your application generates a URL to your resource which
apache will check for validity. only then will apache serve that
resource to the user. hence, your application controls whether to
allow the user access to the resource or not.
> What is the purpose of the timestamp?
the timestamp makes the URL only valid for a certain time. if the
user saves the previously received URL to get access to the resource
again at a later time, the timestamp prevents a successful "stealing".

i suggest you just try Apache Secure Download [1] and see if it
suits your needs ;-) if i can help you make it work, just let me know.

(it''s available as a gem from rubyforge -- sudo gem install
apache_secure_download)

[1] <http://prometheus.rubyforge.org/apache_secure_download/>

cheers
jens

-- 
Jens Wille, Dipl.-Bibl. (FH)
prometheus - Das verteilte digitale Bildarchiv für Forschung & Lehre
Kunsthistorisches Institut der Universität zu Köln
Albertus-Magnus-Platz, D-50923 Köln
Tel.: +49 (0)221 470-6668, E-Mail:
jens.wille-31N1O1AsgN5n68oJJulU0Q@public.gmane.org
http://www.prometheus-bildarchiv.de/

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---