Hi, i am desperately seeking for a solution or at least a hint, for preventing non-authorized users of my social network app to access images, uploaded from registered users, without authentication. I already found the HTTP-REFERRER approach - but as commonly known, this wont work in situations, where the referrer information is blank.... So it''s not only a bandwidth-stealing thing, but also a privacy issue, since the users upload images and expect, that no one excepting the own network of friends can see them. I can imagine to use mod_rewrite to call a ruby controller for each website resource and to then check, if the request has at least a session from my app. But wont that kill the performance of the server, when each acces is beeing processe by a ruby script instead of getting it as a file ? Any help is appreciated ! Cheers martin --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I think the safest way is to store images outside your public directory for storing images. Then create (controller and) action to retrive images using send_data. For example: @person = Person.find(@params[''id'']) File.open(@person.picture, "rb") do |image| send_data image, :filename => @person.picture, :type => "image/jpeg" end You could add before filter to check if user is authorized. Also when uploading file you should store it''s content type somewhere in database. On Jan 10, 4:15 pm, sunstalker <martin.ostrow...-BGeptl67XyCzQB+pC5nmwQ@public.gmane.org> wrote:> Hi, > > i am desperately seeking for a solution or at least a hint, for > preventing non-authorized users of my social network app to access > images, uploaded from registered users, without authentication. > > I already found the HTTP-REFERRER approach - but as commonly known, > this wont work in situations, where the referrer information is > blank.... > > So it''s not only a bandwidth-stealing thing, but also a privacy issue, > since the users upload images and expect, that no one excepting the > own network of friends can see them. > > I can imagine to use mod_rewrite to call a ruby controller for each > website resource and to then check, if the request has at least a > session from my app. But wont that kill the performance of the server, > when each acces is beeing processe by a ruby script instead of getting > it as a file ? > > Any help is appreciated ! > > Cheers > > martin--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Martin -> > > On Jan 10, 4:15 pm, sunstalker <martin.ostrow...-BGeptl67XyCzQB+pC5nmwQ@public.gmane.org> wrote: >> Hi, >> >> i am desperately seeking for a solution or at least a hint, for >> preventing non-authorized users of my social network app to access >> images, uploaded from registered users, without authentication. >> >> I already found the HTTP-REFERRER approach - but as commonly known, >> this wont work in situations, where the referrer information is >> blank.... >> >> So it''s not only a bandwidth-stealing thing, but also a privacy >> issue, >> since the users upload images and expect, that no one excepting the >> own network of friends can see them. >> >> I can imagine to use mod_rewrite to call a ruby controller for each >> website resource and to then check, if the request has at least a >> session from my app. But wont that kill the performance of the >> server, >> when each acces is beeing processe by a ruby script instead of >> getting >> it as a file ? >> >> Any help is appreciated ! >> >> Cheers >> >> martinI wouldn''t wait til rails had your request - static (image,etc) file serving won''t scale. You can likely find a better (ie. more performant) option in your proxy - apache, nginx. We serve all static files using nginx - you can likely wire up some checking there. Jodi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thank you both for your feedback! In the meantime i developed the idea to use a token to establish a trust between a mod_anything running in the apache context and the rails app. The idea is to create a session token by a simple web service (trust service) during first page request and to augment all links to images within my app with this token. An apache mod could then check each request for that token and verify it against the trust service. If the token is not valid or not given, the request will be answered with 403 But i will now check the send_data and nginx approaches first. Cause even if my approach will help me to prevent anonymous users from reading images outside the app, it will not prevent authenticated users to see images from users which they are not connected to (like any other social network, images and stories must not be seen outside the users network for friends) martin On 12 Jan., 03:12, Jodi Showers <j...-BOB1p6JRLoAV+D8aMU/kSg@public.gmane.org> wrote:> Martin - > > > > > > > On Jan 10, 4:15 pm, sunstalker <martin.ostrow...-BGeptl67XyCzQB+pC5nmwQ@public.gmane.org> wrote: > >> Hi, > > >> i am desperately seeking for a solution or at least a hint, for > >> preventing non-authorized users of my social network app to access > >> images, uploaded from registered users, without authentication. > > >> I already found the HTTP-REFERRER approach - but as commonly known, > >> this wont work in situations, where the referrer information is > >> blank.... > > >> So it''s not only a bandwidth-stealing thing, but also a privacy > >> issue, > >> since the users upload images and expect, that no one excepting the > >> own network of friends can see them. > > >> I can imagine to use mod_rewrite to call a ruby controller for each > >> website resource and to then check, if the request has at least a > >> session from my app. But wont that kill the performance of the > >> server, > >> when each acces is beeing processe by a ruby script instead of > >> getting > >> it as a file ? > > >> Any help is appreciated ! > > >> Cheers > > >> martin > > I wouldn''t wait til rails had your request - static (image,etc) file > serving won''t scale. > > You can likely find a better (ie. more performant) option in your > proxy - apache, nginx. We serve all static files using nginx - you can > likely wire up some checking there. > > Jodi--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---