Protecting images from the public..

I know there was a thread about this a while back, and Al Evans posted this reply to a question about protecting images from being directly accessed by typing in the URL.

Mohit Sindhwani wrote:

I know there was a thread about this a while back, and Al Evans posted this reply to a question about protecting images from being directly accessed by typing in the URL.

--- Al Evans wrote:

Here's a method I've used for sending pictures from an arbitrary location in the file system:

  def get_pic      send_file(User.photo_file_name_for(@params[:id]), {:disposition => 'inline', :type => 'image/jpeg'})   end

You could modify that to return an image only if a user was logged in, for example.

Obviously, photo_file_name_for() returns a file system path to the appropriate image.

Here's an example of the <img> declaration in a view:

<img class="photo" src="/users/get_pic/<%= @user.id %>" alt="<%= @user.name %>"

But there's no way to stop a user from doing "Save as..." or dragging a copy of the image off onto their desktop or taking a screenshot or.... ---

I'm just a bit confused about where this code goes. I'm basically trying to use this with file_column and I've got it to upload the file to RAILS_ROOT/storage/upload and now need to do the needful to integrate the above get_pic function to send the image using the <img> declaration.

I'm confused - would appreciate some help.. :-S

Thanks Mohit.    Exploring on, I managed to get it to work by doing this, but would like to know if it's the right way:   def get_pic      @fctrial = Fctrial.find(params[:id])      send_file(@fctrial.image, {:disposition => 'inline', :type => 'image/jpeg'})   end

This is instead of:   def get_pic      send_file(User.photo_file_name_for(@params[:id]), {:disposition => 'inline', :type => 'image/jpeg'})   end

Is it better to do another find or should I add a function to the model to get it to generate the image name?

Cheers Mohit.