How to control access to resourses (pictures and files) inside application?

I'm writing an application that will have lots of images and files
that should be accessed only by authorized people. Where should I put
this files inside the directory tree to avoid users typing the direct
path to the file and getting it without being logged to the
application?

Thank you!

Hello,

Check out my reply to another question:
http://groups.google.com/group/rubyonrails-talk/browse_thread/thread/166febb118641065/687b918da8146023

The idea is that you put you files outside of the public area (so no
one can type the URL), then you program a header rewrite so that your
web server (Apache, Nginx, .etc) serves the file after you've
authorized that request. Since it's a rewrite, the real name of a
file can be "X23456.jpg" but served as "cassiommc_requested_image.jpg"

Avoid sendfile if your using Mongrel to serve your Rails appplication,
and plow through the above header programming above.

Good luck,
Jim

hi,
ive been researching this and i found the x send file and
x-accel-redirect for nginx. they can be used for downloads, however, can
these be used to render images to a view?

thanks for any help!

JimCifarelli wrote:

Thanks for your reply!

but, can this work to serve the images to the view? thatś what I'll
really nedd, I think I didn't expressed myself well..

thank you!

i can render the view using send_data but its really slow and not
recommended. if youfind the answer, please post back here!

cassiommc@gmail.com wrote:

JimCifarelli [2008-02-16 17:04]:

The idea is that you put you files outside of the public area (so
no one can type the URL), then you program a header rewrite so
that your web server (Apache, Nginx, .etc) serves the file after
you've authorized that request.

i didn't follow the whole thread, but here's what we're doing
(soon): let the web server (apache) serve the content as usual and
protect it from unauthorized access with the Apache Secure Download
module [1]. it works by only allowing requests that have the correct
token, which is computed from the resources' path, a timestamp, and
a *secret* string that is shared between the web server and the
application providing access to the resources.

so instead of putting /path/to/image.jpg into the view, you have
/path/to/image.jpg?timestamp=<timestamp>&token=<token>, where
timestamp = 1.minute.from_now (e.g.), and token =
Digest::SHA1.hexdigest(secret + '/path/to/image.jpg' + timestamp).
thus only someone who knows your secret string gets access to that
image.

Apache Secure Download was inspired by Mongrel Secure Download [2],
a mongrel handler by josh ferguson.

[1] <http://prometheus.rubyforge.org/apache_secure_download/>
[2] <http://rubyforge.org/projects/msecuredownload/>
[3] <http://prometheus.rubyforge.org/mongrel_secure_download-redux/>

cheers
jens

hello Jens, Thank you for the reply, however, im still a bit confused.

the web server, say apache will be the one responsible for serving
images. so after i authenticate a user and check if the user has
permission to view a certain view, the view action will be called with a
url that contains timestamp, secret string, etc..which apache will
compute to see whether or not to serve the images?

What is the purpose of the timestamp?

thanks

Jens Wille wrote:

hi koloa!

Koloa Poipu [2008-02-27 18:20]:

the web server, say apache will be the one responsible for
serving images. so after i authenticate a user and check if the
user has permission to view a certain view, the view action will
be called with a url that contains timestamp, secret string,
etc..which apache will compute to see whether or not to serve the
images?

exactly. your application generates a URL to your resource which
apache will check for validity. only then will apache serve that
resource to the user. hence, your application controls whether to
allow the user access to the resource or not.

What is the purpose of the timestamp?

the timestamp makes the URL only valid for a certain time. if the
user saves the previously received URL to get access to the resource
again at a later time, the timestamp prevents a successful "stealing".

i suggest you just try Apache Secure Download [1] and see if it
suits your needs :wink: if i can help you make it work, just let me know.

(it's available as a gem from rubyforge -- sudo gem install
apache_secure_download)

[1] <http://prometheus.rubyforge.org/apache_secure_download/>

cheers
jens