rubyonrailsin

Geoffroy Gomet wrote:
> How can I protect static assets behind authentication.
> I'm familliar with protecting dynamic pages but how to protect static
> files?
>
> An example would be : someone login to my application, upload a
> picture and authorize only some users to see this picture.
> How to avoid someone to access the picture, even if this pperson knows
> the correct url of the file.
>
> The solution is probably to let rails handle static files, but how to
> force this behavior and how to handle differents file types (probably
> through sendfile).

In most production environments web resources (files under
$RAILS_ROOT/public) are served to the client by the web server (Apache,
Nginx, etc.). Your Rails application, and therefore your authentication,
are not involved at all.

The easiest solution is to move the files you want to deliver outside of
the public folder and serve them to the client from your Rails
application using send_file:

http://railsapi.com/doc/rails-v2.3.5/classes/ActionController/Streaming.html#M001587

Take special note of the :x_sendfile option. This will basically hand
the bulk of the file streaming back to Apache. With send_file you'll be
able to control access to the protected files, by whatever means you
wish. You would then be able to send the files just as you would
normally send html to the client using Rails routing and controller
actions.
--
Posted via http://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.