acts_as_attachment and file security

I've been experimenting with the acts_as_attachment plugin and I've been pretty happy with it except for one thing.

By default AAA puts the attached files into 'public/files', which is generally world readable. It is possible to bypass any security and download files directly from that directory if you know the filename.

For my particular needs, I need to ensure that specific files are only downloaded by authenticated users. Preferably only those with sufficient permission to access a particular file.

Does anyone have any suggestions for ways to secure uploaded files?

_Kevin

Another example of solving the problem minutes after posting about it.

Pretty easy too.

acts_as_attachment :file_system_path => 'attachments'

will store the attachments outside of the public directory, so the web server won't deliver it.

Then all you need is an action in a controller like this..

def download     @attachment = Attachment.find(params[:id])     send_file "#{@attachment.public_filename}" end

If you need a more custom path, you can override full_filename. Just look at the how the plugin does it and tweak it to serve your needs.

Actually, the method I posted works pretty well, so I see no reason to change that.

I did run into one problem tho... when trying to get it to create thumbnails I keep getting errors about a method called 'find_or_initialize_by.....'. If I'm not mistaken, that method only appears in edge rails right now, and that causes the acts_as_attachment thumbnailing to fail on any of the standard rails releases.

_Kevin