My problem is not one of security. It is more one of organization. I can point Rails Active Storage at a bucket. From that point on, the end result is, it takes the name of a file like “fizzbuzz.csv”, and regardless of all the blob processing it does, it stores that in the root of the bucket.
Examine that for a second. We can imagine we have a folder “cold-beer” if we simply prefix the name of the file “fizzbuzz.csv” with “cold-beer”. S3 and the AWS gem place the file in my-bucket/cold-beer/fizzbuzz.csv
So we did nothing to Rails Active Storage, compromised no security, but we did use a prefix to tell S3 “hey”, throw this in the bucket “/cold-beer/fizzbuzz.csv”. The file itself is the same. Asking for it is the same. None of the fancy pants work of Active Storage is really challenged here, except it is insisting that the name of the uploaded file be placed in the bucket, because we create a hash out of that combo and not one that perhaps is one with a prefix.
All I can guess is that the Rails team working on Active Storage never uses S3 much, so they just don’t see the need to organize files this way… luckily, I think it is just fooling with the key, but perhaps I am naively missing something actually tough to do here.