Hi, I am using attachment_foo for sharing files between users. Everything works fine but I am worry about the security. All files are stored in the public rails folder so any browser can easily access these files!! I know that the folder path is specific but probably I could write a simple script that could find some common file names. Guys, did you think about that during development? Is there any way to serve files by rails app. So that I could avoid storing files in public directory? Is database good idea? Is it efficient way? Thank you. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 16 Apr 2009, at 12:27, Zirael wrote:> > Hi, > > I am using attachment_foo for sharing files between users. Everything > works fine but I am worry about the security. > > All files are stored in the public rails folder so any browser can > easily access these files!! > I know that the folder path is specific but probably I could write a > simple script that could find some common file names. > > Guys, did you think about that during development? >Use X-sendfile, X-Accel-redirect or generate hard to guess filenames (ie /1ea39e7eacd783eda093223aebdcdf234/myfile) Fred> Is there any way to serve files by rails app. So that I could avoid > storing files in public directory? > > Is database good idea? Is it efficient way? > > Thank you. > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I had the same problem with some of my projects, where some images or
files had to be accessible only to logged users.
The solution is easy (I''m using file_column but the idea is the same),
when you declare has_attachment you can also select where to save your
files using :path_prefix .
You can set something like :path_prefix =>
"resources/#{table_name}" or
some other non public directory to avoid accessing the files directly by
passing a url.
To access the files, you call a method in a controller that serves back
the file using the send_file function. Check the api for better info
about it, you can send back the file inline (to be used in an image_tag
for instance) or as a download.
Since the file is sent by a method, it''s easy to prevent its download
from non authorized user
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---