All geek questions in one place

Rails Image Upload Security

I am currently using Carrierwave for users for images.

However, Iā€™m unlikely to find a solution for securing images, that is, how to set the image resolution for uploaded images so that only a specific user in the same group can be viewed?

After rotating the Facebook implementation, I noticed that they enter these parameters (oh, oe, __gda_) into the image URL

?oh=924eb34394&oe=55E07&__gda__=1436393492fc8bf91e1aec5

Is there a similar implementation for a carrier wave or paperclip ?

thanks

+1
source share
3 answers

I worked with this a bit (only with Paperclip).

There is one solution in order, but it requires a lot of processing.

If you want to hide your files from looping, you can hash the attachments of your clip, see this: https://github.com/thoughtbot/paperclip/wiki/Hashing

If you want to authorize the user every time you upload an image, you can do it as follows:

Extract files from your shared folder

 has_attached_file :image, styles: { large: '1500x1500>', small: '250x250>'}, path: ':rails_root/storage/gallery/image/:style/:filename'

Use sendfile to view file

 def show send_file(object.image.path(:small), filename: object.image_file_name, type: "image/png",disposition: 'inline',x_sendfile: true) end

However, I am a little reluctant to implement this, for example, a gallery of images, since each image requires GET -action + resolution. Using x-sendfile works with Apache to speed up image delivery.

Ref: http://apidock.com/rails/ActionController/Streaming/send_file

+1
source

I found this great paper clip solution from https://makandracards.com/makandra/734-deliver-paperclip-attachments-to-authorized-users-only Although this article is a bit outdated, this article describes everything that is needed to protect it. not only access to attachments, but also how to protect files. This article describes all stages of its implementation, including the deployment of Capistrano!

be sure to use the updated routes by changing:

 map.resources :notes, :member => { :attachment => :get }

in

 resources :notes, only: [] do member do get :attachment end end

I also updated the link:

 link_to 'Download attachment', [:attachment, @note]

in

 link_to 'Download Attachment', attachment_note_path( @note.id )

also see plugin url / folder path for configuring url.

0
source

Carrierwave stores downloads in /public by default, where all content is simply used as static content. If you need to control access to these downloads, I would start by setting a different storage path

 class TestUploader < CarrierWave::Uploader::Base def store_dir Rails.root.join('uploads', relative_path).to_s end def serving_path # Use this method to get the serving path of the upload File.join '/uploads', relative_path end private def relative_path File.join model.class.model_name.plural, model.id.to_s end end

Since CarrierWave uses public assets to download downloads, you will have to implement your own way of working with files. This is a dumb example of how to do this with Rails.

 class Test < ApplicationRecord mount_uploader :file, TestUploader end Rails.application.routes.draw do get '/uploads/:model/:id', to: 'uploads#get' end class UploadsController < ApplicationController def get # ... autorization logic model = params.fetch(:model).singularize.camelcase.safe_constantize return head 400 unless model.present? send_file model.find(params.fetch(:id)).file.path end end
0
source

Source: https://habr.com/ru/post/1240306/

More articles:


All Articles