Attachment_Fu check Filesize on Upload

Hi, i'm using the Attachment_Fu plugin to handle file uploading and have
set the max filesize in my image model, that works fine.

Problem is, I don't want the user to find out the image they're
uplaoding is too big after uploading it.

Is there any way, clientside, to check the size before uploading?

you could use swfupload to do this:
http://swfupload.org/

this comes with a few more advantages, eg uploading several files at
once

Indeed, a fantastic component. You can also filter out certain filetypes etc. It does use Flash and you need to be aware that it uses JavaScript callbacks similar to the Prototype onComplete events you need to use to show the files after the upload is done. Also, keep in mind that Rails 2’s forgery protection and more restrictive session management can give you some problems. It has come up on the mailing list, just search the archives.

It would be nice if someone would write a blog post on SWFUpload in Rails 2. I’m using it in a Rails 1.2 app with great success, but using it in Rails 2 is a big question mark for me. Would be nice to get some comforting guidelines on a working solution.

Best regards

Peter De Berdt

It would be nice if someone would write a blog post on SWFUpload in
Rails 2. I'm using it in a Rails 1.2 app with great success, but
using it in Rails 2 is a big question mark for me. Would be nice to
get some comforting guidelines on a working solution.

yes, you're right that it fails to work with the session.
my solution so far:

- before starting the upload send an ajax request to the server (with
session handling)
- generate some entry in the database with an unique id (and maybe some
other security information) and a datetime, so it's valid only a few
seconds
- the ajax response triggers the fileupload for the requested files
- file uploads are only accepted, as long as they match the db entry

i think that's reasonably secure and was easy to implement. i had
thought to use some of the solutions that where mentioned in the other
discussions here, but they all seem to fail with one browser or another.

Nice, thanks, but this sounds like replacing one problem with another.

I'll add some text by the box to say [max 5mb] which should stop most,
and an onsubmit() function when submitting the file that I can rig to a
js function to check the filesize.

I'm sure I did this with javascript before but no idea how

hmm.. no luck there, looks like it can't be done via javascript, only
once the file has got to the server can you check the filesize.

so with the Attachment_Fu plugin, is there a method / object that
returns what happened with a failed upload so i can do...

if attachment.size > 5.megabytes
  flash[:notice] = 'sorry, you tried to upload a file larger than 5mb!'

?

So if I understand you correctly, you turn off the session for the upload method and replace it with your own temporary validation hash?

Great solution btw, it’s so obvious and simple I would never have thought of it myself :-), I still would have tried to work around it the way you could do it in the previous Rails version (by allowing session ids to be passed in via a parameter request).

Best regards

Peter De Berdt

I know Peter, it isn't perfect but will do for the moment. I'll
research some more with the plugin you suggested and Attachment_Fu to
find a more graceful way of handling this.

Will let you know if I find the solution.

Appreciate your help.

John.

So if I understand you correctly, you turn off the session for the
upload method and replace it with your own temporary validation hash?
Great solution btw, it's so obvious and simple I would never have
thought of it myself :-), I still would have tried to work around it
the way you could do it in the previous Rails version (by allowing
session ids to be passed in via a parameter request).

in that special case for each file i need an db entry anyway
to link it in the document structure, having fields like
name: descriptive name given by user
description: long description of content
document_version: docs can be replaced
project_id: project, doc belongs_to
user_id

etc

so the ajax call (with session) creates an empty record,
filling out only necessary parts as user_id and project_id
plus: temporary reuse of name to store some randomly generated code
which is handed back with the ajax response (plus the document_id)
maybe this code is not really necessary, but it looks very secure :wink:
then starts uploading file/s with those parameters

the action checks that a record with given id exists, that it's
created_at isn't too old and the code is matched
in any other case rejects the upload

i think that's rather secure and somebody would have to
intercept the connection to get the id and code fast enough
to do something bad

maybe it could be enhanced with some tricky encryption,
but we're quite confident, that it's secure enough for
our kind of apps