0

I would like my users to be able to upload some files which are strictly related to them. The resource is only visible if they authenticate to the web service, so should the file attachment be.

Now with Paperclip I can specify the upload location of the files and even obfuscate the filename like so:

has_attached_file :avatar, {
    :url => "/system/:hash.:extension",
    :hash_secret => "longSecretString"
}

But still, all files are stored in the same place and by brute-forcing you COULD see files that do not belong to you, even though unlikely.

Is there any way to protect the files from being seen by people that shouldn't?

4

2 回答 2

1

You should be able to configure paperclip to store the files somewhere outside your app's /public directory, so they have to be fetched and served by your application. If they have to be fetched by your application, then you can apply whatever authentication and authorization you need at that point.

Another approach is to store uploaded files in the database instead of in the filesystem. That makest the uploaded files just as secure as any other application data you store in the database.

于 2013-02-26T14:08:50.353 回答
1

For object/model-level authorization of those objects, take a look at canable, rails_authorization in ruby toolbox, and the following questions:

If you have trouble with Paperclip, you could take a look at carrierwave or something else from rails_file_uploads in ruby toolbox. Carrierwave has support for storage on filesystem, in DB, or DB-managed filesystem storage (like large object support in carrierwave-postgresql, if you were using postgres).

于 2013-02-26T14:16:20.950 回答