Hey all!
Im building an app at the moment in which users can upload images of themselves.
The problem is, because these images are stored in the public directory they are open to the public.
How can I protect these images but still allow access to them in my views?
thanks
Gavin
You'll need to explain protect but still allow access. You could store them in another directory and then use send_file to send the file after some form of authentication. You can also do this with nginx (better scalability) via the method I explain on my blog at http://ramblingsonrails.com/how-to-protect-downloads-but-still-have-nginx-serve-the-files A similar method exists for Apache.
Andrew Timberlake http://ramblingsonrails.com
http://MyMvelope.com - The SIMPLE way to manage your savings
Sorry,
by "still allow access" I simply meant that I could still refer to the images in my HTML. ( <img src='/images/pic.jpg'> )
send_file isn't appropriate here ( as far as I'm aware ).
Suppose my profile image is located at "images/3.jpg". I want to prevent users from then visiting "images/4.jpg" and checking out pictures they don't have access to.
So far, encypting the image name seems to be the only solution.
ie- "images/8dfa7dg6g82h9dhn9njn23knjkknsdf9.jpg"
Making it a little more difficult to 'guess' the picture url.
Anybody know of a better way to handle this?
Gavin
Gavin Morrice wrote: [...]
send_file isn't appropriate here ( as far as I'm aware ).
Why not? It sounds like exactly what you want -- a way to send an arbitrary file that isn't in the public directory.
Suppose my profile image is located at "images/3.jpg". I want to prevent users from then visiting "images/4.jpg" and checking out pictures they don't have access to.
Then don't put the images in the public directory. The public directory is, well, public.
So far, encypting the image name seems to be the only solution.
ie- "images/8dfa7dg6g82h9dhn9njn23knjkknsdf9.jpg"
Making it a little more difficult to 'guess' the picture url.
This could work too.
Best,
Why not? It sounds like exactly what you want -- a way to send an arbitrary file that isn't in the public directory.
Isn't send_file for streaming the file to the user though? I'm only looking to load the image on screen, I don't want the users to actually download a copy of the file.
Thanks
Gavin
You can send a file inline without streaming for an image (I'm using this in an application):
send_file path, :type => 'image/jpeg', :disposition => 'inline', :stream => false
HTH, Nicholas
Alrighty...
Was not aware of that. I think in this case it's best to go with the encrpted filename option because I'll might have loads of images to render per page.
Thanks for your help guys.
Gavin
option because I'll might have loads of images to render per page.
^ apologies for the crap grammar - writing in a hurry today
Just so you know, with the x-sendfile option:
:x_sendfile - uses X-Sendfile to send the file when set to true. This is currently only available with Lighttpd/Apache2 and specific modules installed and activated. Since this uses the web server to send the file, this may lower memory consumption on your server and it will not block your application for further requests. See X-Sendfile - lighty's life and tn123.ath.cx is offline for details. Defaults to false.
Thanks Nicholas,
I have used send_file before, but I had no idea that the 'inline' option was available.
You've also helped answer the problem I've had with my mp3_player plugin (http://handyrailstips.com/tips/7-playing-mp3-s-on-your-rails- site-with-mp3_player)
Thanks again 
Gavin