This is a simple question but I can't seem to find an answer for it anywhere. If you store some files (say some static PDFs) in your public directory, is there a way that someone who isn't authorized to view those files, can view them by typing in a url like example.com/public/static_document.pdf? If so, can you disable this in Rails?
The public is definitely public and open to people guessing the URL.
Check out Ruby On Rails - Securing Downloads Area for someone else asking similar.
I store these generally in Rails.root/secure_files and then use send_file in the Controller to authorize and send these files.
The public folder contains the static files and compiled assets for the client to read. The folder by default is accessible to anyone visiting your site. Test it by typing in a slug of the folder name currently in your public folder.
Related
I have a Vapor server API running in Heroku supporting an iOS app. I want to create a simple landing page for my app and I would like to host it in my existing Vapor server. How could I do that?
Vapor actually has a built-in middleware that makes this very easy. First, make sure you have a Public directory at the root of your Vapor project. Then you can put your static HTML page in there, along with any CSS and JS files it might rely on.
Next, you just need to add FileMiddleware to your application's middleware (docs):
let file = FileMiddleware(publicDirectory: app.directory.publicDirectory)
app.middleware.use(file)
Now you can access any of the files in your Public directory using their relative directory path as the path in the URL to your app. For example, if you have a static directory in your Public directory, and put a home.html file in it, you request the page by going to http://localhost:8080/static/home.html in your browser.
When assets like images or files are in the rails public directory with asset pipeline enabled, is everyone allowed to access them through URL?
I am asking this because now I am learning about implementing File Uploading through Carrierwave with the help of the book, Rails 4 in Action, and it says the files should be moved outside the public folder for access control.
If assets are in the public folder, does it mean that we can't do access control?
Any one can access the contents of public folder through URL.
Ref:
Are files in public folder accessible to outside world? - Rails
Looking for suggestions on how to host static files through an MVC app.
I have an MVC SPA (basically a bunch of static html, js and img files). I want users to be able to access these static files only after they have logged into my MVC application. I am running on a windows server platform, using IIS.
Currently I am doing this:
RouteTable.Routes.IgnoreRoute("AngularApp/{*path}"); //to serve up angular files from AngularApp folder
However this has a number of problems.
I don't really want to ignore the route, I want the MVC controller to check if the user has permissions (like my other controllers do), if not redirect to login page and if so, then instead of sending them to a view, allow them to load any files in a particular folder or subfolders. But the folders these files load from need to be a different path than the route URL requested. For example I don't want users to have to go to mysite.com/angularseedapp/deploy/app/mypage.html but rather if they request mysite.com/a/mypage.html I want it to serve up the file from there.
This seems simply a matter of being able to have MVC redirect and fetch files from a different folder, but I have no idea how to do this.
Could someone knowledgeable about MVC please give me a step by step simple way to do this? When I try to fetch files outside the views folder this seemingly simple task results in various permissions and other kinds of errors because I don't know how to do it correctly.
Thanks!
P.S. To clarify, I know how to get my controller to check permissions and redirect, to any single file in the views folder, but how do I do it for a whole folder of files and directories in a higher level folder? I want to map the route, have it go to a controller, then instead of going to a view I want it to take me to static files. I suspect there is some way to use maproute() in global.asax to help me do this but I do not have a lot of experience with that.
I may be oversimplifying but I usually select the application in IIS Manager and then select Mime Types, they add mappings for whatever types you want to map statically. I've done this for HTML and JSON files before and it worked fine. Use type = text/javascript or application/json etc.
I am authoring an MVC application that is hosted by another MVC hosting solution. The dll from the client app is copied into the bin folder of the hosting app. The Views, Views/Shared, Scripts, Content, ... are all copied to the hosting project as well. In the Hosting solution, I've created an Area that will act as the base for any of the client apps and dynamically create routes to the view via a warmup routine. This part works great.
However, my javascript bundles do not render as I would hope, I believe it is because they files aren't being found. In this client app, I have two JS files...for simplicity's sake, javascript1.js and javascript2.js. The are located in my Scripts folder of my client app: C:\MyClientApp\Scripts\*.js. Upon compilation, a post build event copies the files to the Hosting solution: C:\MyHostingApp\Scripts\MyClientApp\*.js.
In an app startup (also done in the warmup routine), my bundle is built:
[assembly: WebActivatorEx.PostApplicationStartMethod(typeof(MyClientApp.AppStart), "Start")]
namespace MyClientApp
{
public static class AppStart
{
public static void Start()
{
ConfigureBundles();
}
private static void ConfigureBundles()
{
var bundle = new ScriptBundle("~/MyClientApp/Js")
.Include("~/Scripts/javascript1.js")
.Include("~/Scripts/javascript2.js");
BundleTable.Bundles.Add(bundle);
}
}
}
In my view, I would like to call #Scripts.Render("~/MyClientApp/Js"). This doesn't work though, nothing is rendered. My assumption is that it is looking for that bundle under the root of the application, not under the MyClientApp. In an attempt to properly locate the bundle, I tried writing an HtmlHelper extension to resolve the bundle...though the best I could get it to do was to resolve the bundle name into my source and ultimately it seemed that there must be a simpler way to accomplish this. Any ideas on how to render these bundles? Is there something I can do with the routing engine, comparable to Views to locate JS (and eventually css) files?
Thanks!
Bundling currently uses a VirtualPathProvider to find the files for the bundles. The built in VirtualPathProvider only knows about files within the application. If you want to be able to reference files outside of the app, you could try implementing your own VPP that can retrieve files outside of the app.
I want to be able to have a folder which allows regular access like the \content folder except that it holds a ClickOnce application. I can't seem to be able to achieve this using Mvc, but I'd like to have this folder accessible without Mvc seeing it as a controller action.
I tried using routes.Ignore(theUrl), but this seemed to have no effect.
There are two ways you can do this. The first is where you are currently going, which is to satisfy it with routing. You should be able to use the following to ignore the intended route:
routes.IgnoreRoute("...")
However, this might not be the right approach from a security stand point. I would recommend you define an explicit action to download your click-once exe. Have a look at this q/a as an example of using the FileContentResult class.
The reason for this is that you can control security for that file without having to open up access levels to other directories.
Edit: If this is for an entire directory, you can still follow this same approach.
Set up the folder as a virtual folder in the website on IIS. then you can set the url in the code to point to the machine serving the request and to the virtual folder on the web server.