I have a gallery in my rails app that needs to only allow certain images to be shown to specific, logged in users. I am using Paperclip for image processing now, but it saves all images in a public folder available to anyone.
Note that I don't have to use Paperclip if there is a better way, and I already have the login system in place. I just need a way to place the images in a non-public location, but still be able to serve them as needed.
Is it possible to only allow these images to be served to authenticated users?
Here you can find how to change the path of the uploaded pictures. If you have done this. You need to create a controller which serves these static files.
For Example: Paperclip sample app part 2: downloading files through a controller
Is it possible to only allow these
images to be served to authenticated
users?
Yes, you just need to check if the user is logged in in the controller action responsible for the image.
Related
I'm trying to do something a bit complicated and I'm not entirely sure how to go about it. Could you please give me some pointers on the tech I should use and how I should go about implementing this. Here's what I need to do:
Create an iOS app that allows the user to upload pictures from his camera roll and modify variables with sliders. (so far so good)
These variables and graphics are used to modify some htlm5 code (i.e. the graphics the user supplies are called by the hmtl code and the variables modify some set variables in the script) (Do I just edit the code as a string?)
The code is put together and uploaded to a server where it is accessible at a unique URL. The user can save multiple times and each time it creates a new URL. (Do I need an FTP here?)
Your question is too general, but as far as I can help, Yes you have to create and edit some html source texts, and append every object that user is adding to the page as some html codes, files, css, etc.
and for uploading, if you want the user to upload the site to his/her own ftp server or web hosting service, yes you need FTP connection to create with the server.
But if you want your user to upload the website to a space you're providing for the user, then you need some server part and maybe some APIs. then you may use FTP or even some APIs to create and update files on your server. It highly depends on the service you want to provide.
I am creating a site using ASP.NET MVC4, one of the functions on the site is for users to upload images. The images may be of a personal nature, almost definitely containing images of their children.
The images are being stored on MS Azure SQL Database along with their metadata. To save bandwidth usage on azure, once the image has been downloaded, it saves to a user directory
~/UserImages/<Username>/<Image>
When the gallery page is loaded, the controller action checks the database against what is in the users directory and just brings down any not already there.
The <Username> part of the directory is created by the controller when required, so I am unable to set IIS permission on it. However even if I was, I am unsure what IIS could do as the users are not known in advance (new registrations etc).
Due to MVC routing, it wont be possible for users to access other users directories by guessing usernames, however if you can guess a username AND imagename, then it does display. I am looking for ideas on preventing that from happening to minimise the chance of someone elses images becoming exposed to others.
I have tried an IgnoreRoute but this didn't work.
routes.IgnoreRoute("UserImages/{*pathInfo}");
Ideally I would have the UserImages directory cleared on logout but not everyone will use logout command. If they were cleared out there is a much smaller chance of something finding the combination of username and imagename before the files are removed.
How about instead of storing your cached images within the actual site structure as static content fed by IIS, you store the images in a path outside the site.
That would ensure no unauthorized user could access them directly.
Then you can provide access to those images through a Controller (UserImagesController maybe) Action that can validate that the image being requested is one to which the current user has access.
Your check might end up being as simple as checking the requested UserName parameter of the action is the same as your current user's UserName.
With this approach you can also control the cache headers, expiration, etc, of those images.
This question already has answers here:
Storing Images in DB - Yea or Nay?
(56 answers)
Closed 10 years ago.
in my website, user can upload a profile image.
I wanted to know what is the best way to store those images.
my thought is simply dedicated directory. the image name will be the user_id.
is that a good solution, or there's a smarter one?
You have two options, store the images or use an external source (gravatar).
If you're going to store the images, do you want these images to be publically available or are they private? If they are publically available, then you can store them in your public folder.
You can use something like carrierwave to handle the uploading, versioning and storing of the images.
For public stuff, I'll store the file in the public directory under the uploader/model name/field name/id location. This is more for organizational purposes on my part.
Check out http://railscasts.com/episodes/253-carrierwave-file-uploads for a good tutorial.
For private images, I'll set the store directory to something outside of the public folder and will create a download action within the controller with the file. This way, the user cannot download the file unless it goes through the controller action. With authorization (cancan) I can allow or disallow a user to access the download action for that particular file (hence making it somewhat secure). If you are going to be using a production server like apache or nginx, make sure that you set the appropriate handlers for sending the file (ie x_sendfile).
Its very common to store images in a directory for small applications. However there are a few of things to take into consideration here:
Do you have anticipate a lot of users? If you have a million users, storing everyone's photo in your directory will take up a lot of memory when running your application
Are you deploying on Heroku? Many RoR apps are, and if you deploy on Heroku it will destroy any files you store locally when your app is moved to a different dyno (and you generally have no way of predicting when this will happen). You can read about the Ephemeral filesystem here https://devcenter.heroku.com/articles/dynos#isolation-and-security
In general I would advise against storing all your images locally because rewriting the code as you scale will become painful. I recommend you upload to an Amazon S3 Bucket and download the images as you need (and cache them for when your user is logged in). Its helpful becasue you might have to deal with image processing (for example resizing the images that are uploaded, creating thumbnail versions of the uploaded images) and its easier to do this when you have background processes that have persistent access to these files. I've used the 'aws' gem and S3 libraries for this, and its really easy to use, you can read more about it here: http://amazon.rubyforge.org/
However, if you intend for this to be a small app and are not deploying on Heroku, just saving it to a local directory is a lot easier and pain-free
In my web application, each user will have a logo. I am pretty sure each user will also have a photo gallery in the future. What is the best way to set up a directory structure for managing user logos and possibly other assets such as photos? Also would be good to get people's opinions on what to store in the database. My application is a Rails app.
Just to be clear, this web application will need to scale to possibly hundreds of thousands of users.
There are plugins that offer drop in functionality for the things you're looking to do.
Essentially they work similarly to what Pindatjuh suggests. But you should check out attachment-fu and paperclip to see how the others have done it.
If it's a small web application and you have a database:
One folder containing all avatars (logos). In the database you set the filename of the avatar. Also another folder containing all photo's in a gallery. In the database you have one entry for each asset, pointing to the resource and user.
If it's a bigger, or growing, application, you can automatically create more folders (scripted: each 100 files create a new folder), or even load-balancing by having more than one server solely providing assets.
If you don't have a database:
Create a folder per user, which contains their avatar and assets. This one does not grow, since you don't have a database which points to the user-assets: if you have more than one server, you can't say "which" server the resources are on.
I need to create a photo gallery service that is managed by users. I've done this a million times using just Asp.net but I was wondering if there are any special considerations that I need to make when using Asp.net MVC.
Basically, I will be storing the actual images on the filesystem and storing the locations in a database linking the images to a specific user. The images in a user's gallery should NOT be accessible by anyone except registered users. Meaning, I need to somehow prevent users from sharing the URL of an image from a gallery with someone who is not a user of the site.
In the past I did this using some generic handlers which authenticated that the request is allowed to access the image resource. Can I use the same pattern but using Controllers instead? I was thinking of perhaps creating a Photo Controller and just a simple Get action. Would this require that I have a View just for displaying an Image?
Am I on the right track or are there better ways of doing this? (Besides storing images in the DB)
This link explains how to create a custom ImageResult class. I was able to do exactly what I needed following it
https://blog.maartenballiauw.be/post/2008/05/13/aspnet-mvc-custom-actionresult.html
It's not a complete answer but I'd look at using a route that restricts access to the actual files themselves and then possibly use authentication of the action that gets an image.