ActiveStorage Authentication

TomRossi7 · November 10, 2021, 9:18pm

In the current documentation, we have an approach for Authenticated Controllers. This requires you to essentially duplicate all of the ActiveStorage controllers so you can include your application specific modules.

Would it be better to instead have the ActiveStorage::BaseController inherit from an interim controller like ApplicationStorageController where modules could be included to provide authentication and other types of behavior?

So rather than this:

# app/controllers/logos_controller.rb
class LogosController < ApplicationController
  # Through ApplicationController:
  # include Authenticate, SetCurrentAccount

  def show
    redirect_to Current.account.logo.url
  end
end

You could instead do this:

# app/controllers/application_storage_controller.rb
class ApplicationStorageController < ApplicationController
  include Authenticate, SetCurrentAccount
end

Or maybe there is another way we could provide developers a way to mix in their modules into the existing ActiveStorage controllers?

petrik · November 17, 2021, 1:55pm

There was a PR to create a BaseController: https://github.com/rails/rails/pull/41505 In the comments of that PR George Claghorn mentions how they fix this in Hey.

BenKoshy · September 29, 2024, 9:11am

github.com/rails/rails

Comment by georgeclaghorn - Allow users to customize ActiveStorage controllers without having to override them

rails:main ← santib:active-storage-controllers

I’m not sure about this specific approach yet—need to think about it more. This …is a good start, though, and I’d like to do something along these lines. Another thing to consider are these authorization monkey-patches we use (cleaned up a bit for sharing), which I’d love to upstream in some form: ```ruby ActiveSupport.on_load :active_storage_blob do def accessible_to?(accessor) attachments.includes(:record).any? { |attachment| attachment.accessible_to?(accessor) } || attachments.none? end end ActiveSupport.on_load :active_storage_attachment do def accessible_to?(accessor) record.try(:accessible_to?, accessor) end end ActiveSupport.on_load :action_text_rich_text do def accessible_to?(accessor) record.try(:accessible_to?, accessor) end end module ActiveStorage::Authorize extend ActiveSupport::Concern included do before_action :require_authorization end private def require_authorization head :forbidden unless authorized? end def authorized? @blob.accessible_to?(Current.identity) end end Rails.application.config.to_prepare do ActiveStorage::Blobs::RedirectController.include ActiveStorage::Authorize ActiveStorage::Blobs::ProxyController.include ActiveStorage::Authorize ActiveStorage::Representations::RedirectController.include ActiveStorage::Authorize ActiveStorage::Representations::ProxyController.include ActiveStorage::Authorize end ``` Application models implement `accessible_to?(accessor)` to indicate authorization: ```ruby class Entry < ApplicationRecord def accessible_to?(accessor) in? accessor.accessible_entries end end ```

The following is a copy of the above link;

## where does this go?
ActiveSupport.on_load :active_storage_blob do
  def accessible_to?(accessor)
    attachments.includes(:record).any? { |attachment| attachment.accessible_to?(accessor) } || attachments.none?
  end
end

ActiveSupport.on_load :active_storage_attachment do
  def accessible_to?(accessor)
    record.try(:accessible_to?, accessor)
  end
end

ActiveSupport.on_load :action_text_rich_text do
  def accessible_to?(accessor)
    record.try(:accessible_to?, accessor)
  end
end

module ActiveStorage::Authorize
  extend ActiveSupport::Concern

  included do
    before_action :require_authorization
  end

  private
    def require_authorization
      head :forbidden unless authorized?
    end

    def authorized?
      @blob.accessible_to?(Current.identity)
    end
end

## where to put this?
Rails.application.config.to_prepare do
  ActiveStorage::Blobs::RedirectController.include ActiveStorage::Authorize
  ActiveStorage::Blobs::ProxyController.include ActiveStorage::Authorize
  ActiveStorage::Representations::RedirectController.include ActiveStorage::Authorize
  ActiveStorage::Representations::ProxyController.include ActiveStorage::Authorize
end

Would anyone know where to paste this type of config?

chris.covington · September 30, 2024, 6:02pm

That looks like it would go in an initializer file.

Topic		Replies	Views
[Feature proposal] Override controllers in ActiveStorage configuration rubyonrails-core feature , activestorage	0	936	November 15, 2021
ActiveStorage Direct Uploads Safe by Default/How to make it safe? rubyonrails-talk	8	2801	March 28, 2023
ActiveStorage - next steps and how to help? rubyonrails-core	1	233	November 22, 2017
[ActiveStorage] ActiveStorage custom storage path configuration per Model attribute rubyonrails-core feature	0	708	January 7, 2020
CORS Configuration with Active Storage Disk service rubyonrails-talk activestorage	2	34	December 19, 2024

ActiveStorage Authentication

Related topics

More Resources