Jump to content

The ultimate community for Ruby on Rails developers.


Photo

Is it possible to prevent illegal url access frm anyone but file owner, if using paperclip url hash parameter

paperclip ruby on rails ruby on rails3 ruby

  • Please log in to reply
No replies to this topic

#1 arjunm009

arjunm009

    Signalman

  • Members
  • 17 posts
  • Locationindia

Posted 28 February 2014 - 12:52 PM

Paperclip hash can hide the actual file path, but the url itself stays public wch anyone other than the actual owner of file, can access.

 

In many online guides the method listed was simply to serve the file through "sendfile" ruby class, which take an "id" and then activate the download.

but if the paperclip hash parameter is used, it simply would not work, as "sendfile" cant understand the hash.

this is what i did.

paperclip asset.rb model file i have

:url => "/system/:hash.:extension"
now in my route file, i have
match "/system/:hash.:extension" => "assets#get", :as => "download"

index.html.erb

<%= link_to asset.doc_name, download_url(asset) %>

assets controller

def get
asset = current_user.assets.find_by_id(params[:id]) 
if asset
send_file asset.uploaded_doc.path, :type => asset.uploaded_doc_content_type 
end 
end

this generates no route match error

No route matches {:controller=>"assets", :action=>"get", :hash=>#<Asset id: 25, user_id: 1, created_at: "2014-02-27 15:06:55", updated_at: "2014-02-27 15:06:55", uploaded_doc_file_name: "warm.jpg", uploaded_doc_content_type: "image/jpeg", uploaded_doc_file_size: 39627, uploaded_doc_updated_at: "2014-02-27 15:06:55">}

but if i dont use hash, instead use something like 

:url=>"/assets/get/:id"

 in asset.rb and make the changes in routes, it will work.

from the error it seems it is expecting some hash. how to make it understand its paperclip's parameter and get "sendfile" to work with it.

(i was learning to code a file storage app from here)







Also tagged with one or more of these keywords: paperclip, ruby on rails, ruby on rails3, ruby

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users