Hey guys,
So I'm building a Rails 3 app and one of the major things it needs to do is let users upload photos into their own photo albums. That part in and of itself isn't a problem; where I'm a bit short on knowledge is the proper way to *secure* that information.
Say we have 3 users: a, b, c. A and B are friends, C doesn't know either one of them. A uploads photos into his/her album, which is marked to be viewed by "friends only", so B can see those photos, but not C.
However, what's to stop B from grabbing the URL to the photo of A and then sending it to C over iChat or something? C gets the image pulled up without even so much as a login.
I might be going a bit overkill here, but with all the recent discussion in the technology industry about individual privacy, I want to make sure this problem gets solved RIGHT. The only way I know to do this off the top of my head is to set the image source as a Ruby script itself, and have that script (or method in a controller) do the checks, then if they're good, retrieve the image and then send the raw image data down. I've done that with PHP before, but truth be told, I don't like it because it seems rather inefficient.
Is there a good way to do this, or is it generally acceptable that, while my app won't show C any photos of A, those photos aren't *actually* protected from a raw GET request, if somebody knew where to look?
Thanks 