Has anyone got any ideas on how to approach the following: I generate a pdf receipt and store it in a directory "outside" of public since I do not want users to be able to just mess about with URLs and look at other users receipts. However, I do want users to be able to download and see their own receipt. I am struggling to come up with a way of the browser showing the pdf but denying access to other pdf''s. I had thought of using some sort of md5 generated id on a resource called "receipt" to do a show but in the end there is always some URL. Is there a way of creating some sort of "one-time-use" URL by forming the headers accordingly and then simply using a file-read to serve up the file. To me this seems a bit weird as the whole point of webservers is doing precisely this. I must be thinking along the wrong lines. Thanks. O. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Why not just scope the find to the user? class User has_many :receipts end Then in your controller you can do something like def show file_ref = current_user.receipts.find(params[:id]) #Read file code end On Dec 7, 2009, at 7:43 AM, icke wrote:> Has anyone got any ideas on how to approach the following: > > I generate a pdf receipt and store it in a directory "outside" of > public since I do not want users to be able to just mess about with > URLs and look at other users receipts. However, I do want users to be > able to download and see their own receipt. I am struggling to come > up with a way of the browser showing the pdf but denying access to > other pdf''s. > > I had thought of using some sort of md5 generated id on a resource > called "receipt" to do a show but in the end there is always some > URL. Is there a way of creating some sort of "one-time-use" URL by > forming the headers accordingly and then simply using a file-read to > serve up the file. To me this seems a bit weird as the whole point of > webservers is doing precisely this. > > I must be thinking along the wrong lines. > > Thanks. > > O. > > > -- > > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
This seems to have done the trick.
class DocumentController < ApplicationController
def show
fingerprint = params[:id]
if doc = Document.find_by_fingerprint(fingerprint)
render :file => doc.filepath, :content_type => content_type
(doc.filename)
else
raise ArgumentError, "Invalid document fingerprint, possible
tampered URL"
end
end
def download
fingerprint = params[:id]
if doc = Document.find_by_fingerprint(fingerprint)
send_file doc.filepath, :type => content_type(doc.filename)
else
raise ArgumentError, "Invalid document fingerprint, possible
tampered URL"
end
end
protected
def content_type(filename)
extname = File.extname(filename)[1..-1]
mime_type = Mime::Type.lookup_by_extension(extname)
content_type = mime_type.to_s unless mime_type.nil?
end
end
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.