I need to create a photo gallery service that is managed by users. I've done this a million times using just Asp.net but I was wondering if there are any special considerations that I need to make when using Asp.net MVC.
Basically, I will be storing the actual images on the filesystem and storing the locations in a database linking the images to a specific user. The images in a user's gallery should NOT be accessible by anyone except registered users. Meaning, I need to somehow prevent users from sharing the URL of an image from a gallery with someone who is not a user of the site.
In the past I did this using some generic handlers which authenticated that the request is allowed to access the image resource. Can I use the same pattern but using Controllers instead? I was thinking of perhaps creating a Photo Controller and just a simple Get action. Would this require that I have a View just for displaying an Image?
Am I on the right track or are there better ways of doing this? (Besides storing images in the DB)
This link explains how to create a custom ImageResult class. I was able to do exactly what I needed following it
https://blog.maartenballiauw.be/post/2008/05/13/aspnet-mvc-custom-actionresult.html
It's not a complete answer but I'd look at using a route that restricts access to the actual files themselves and then possibly use authentication of the action that gets an image.
Related
I am creating a new application that allow the users to either create content in the local application database or directly on Facebook.
Imagine the user have a CRUD interface for a Post. I have a created a model for Post that sub classes ActiveRecord::Base. Objects of this class has methods for saving the post to the local database.
However, the user is also able to "tick" and option in my application that says "connect to Facebook". When it is checked the content will not be stored in my local database but it will go directly to Facebook Graph API.
The service layer and controller layer is not aware of where the data actually goes. At least this is my idea.
My question is if I can use the same Post class for both local data and Facebook data? Some of the methods in the Post class would not make sense when the post object contains data from Facebook; such as the save method.
Does that design seem stupid? Should I create another Post class that is just a normal Ruby class without sub classing ActiveRecord::Base? Or are there other better ways?
When designing a class you should make it as lean as possible. A good way to look at it is counting the nouns and verbs that are included in your model. A post can be saved or deleted, but if your save and delete start having logic related to Facebook it's a good sign that this should belong to a different class altogether.
One more note related to Facebook: the new guidelines don't allow posting 'pre-written' posts for a user. Meaning that you won't be able to make a post to a users wall without prompting him with Facebook either way.
I don't see any problems with having Post < ActiveRecord::Base - that is the standard Rails way and it does look like you should implement the standard ways of storing data to your DB and look into the Facebook posting from another angle.
There are some definite problems with that approach - the first is that you will end up with alot of tight couplings to the Facebook API. I have had tons of grief from the FB API's changing without warning or not working as documented.
Another issue is performance - loading data from FB is often painfully slow even compared to reading from a DB across the wire. It is also prone to outrages (at least in my experience).
I would definitely use "proxy objects" which are stored in your database and regularly hydrated from Facebook instead.
I am creating a site using ASP.NET MVC4, one of the functions on the site is for users to upload images. The images may be of a personal nature, almost definitely containing images of their children.
The images are being stored on MS Azure SQL Database along with their metadata. To save bandwidth usage on azure, once the image has been downloaded, it saves to a user directory
~/UserImages/<Username>/<Image>
When the gallery page is loaded, the controller action checks the database against what is in the users directory and just brings down any not already there.
The <Username> part of the directory is created by the controller when required, so I am unable to set IIS permission on it. However even if I was, I am unsure what IIS could do as the users are not known in advance (new registrations etc).
Due to MVC routing, it wont be possible for users to access other users directories by guessing usernames, however if you can guess a username AND imagename, then it does display. I am looking for ideas on preventing that from happening to minimise the chance of someone elses images becoming exposed to others.
I have tried an IgnoreRoute but this didn't work.
routes.IgnoreRoute("UserImages/{*pathInfo}");
Ideally I would have the UserImages directory cleared on logout but not everyone will use logout command. If they were cleared out there is a much smaller chance of something finding the combination of username and imagename before the files are removed.
How about instead of storing your cached images within the actual site structure as static content fed by IIS, you store the images in a path outside the site.
That would ensure no unauthorized user could access them directly.
Then you can provide access to those images through a Controller (UserImagesController maybe) Action that can validate that the image being requested is one to which the current user has access.
Your check might end up being as simple as checking the requested UserName parameter of the action is the same as your current user's UserName.
With this approach you can also control the cache headers, expiration, etc, of those images.
I'm trying to figure out how to integrate a given view into the admin url scheme without manually setting up the url.
Background:
I have three models for which I get data in one CSV file (don't even ask why...). So the import view is not bound to a given model in my concept.
Is there any way to register a view without a model to the default admin site, so that I can add the view to the sidebar block in app_index with an url relative to the app (like "app/import")?
I would like to avoid writing the "admin/app/import" url to my urlconf. However, if that can't be avoided, could someone give me some tips how to at least make them portable? (like variables containing the apps name/base url for the app admin)
I don't know all the magic behind django yet.
I need to share some sensitive data among activities.
I have two EditText which are basically username and password
I am consuming a webservice which on the base of provided username and password return some user info (DataType:String). Like userid,useremail etc.. which is basically in CSV format
I need these piece of information throughout my application.But i can't figure out which is the better way.
-- One way i could found out so far is to use sqlite with MonoAndroid
-- Other way i found out is using Application class
I just started to learn android today , but i want to know if there are some other ways to share data ?
As you mentioned, a global Application class and the database are two good ways to share application-wide data. One thing to be careful with is that your Application class could be recycled when the app is in the background, so you would lose any data that hasn't been persisted to something more permanent.
In addition to the database, you can also persist data down to the filesystem as well. This recipe from Xamarin has an example of writing directly to a file. Most of the classes you'll need to do file access are found in the System.IO namespace. Mono for Android also supports isolated storage, which provides a higher level API for reading and writing files.
If you simply need to pass data directly between activities, you can do so by adding it as an extra to the intent. This recipe explains how to do that.
If you want to wrap up access to a particular resource in a more managed fashion that can be accessed by either other parts of your application or even external applications, you can look into implementing a content provider. Android itself provides several built-in content providers for resources like contacts and media, if you need an example of what it's like to use one. This recipe explains how to read from the contacts provider.
I have a gallery in my rails app that needs to only allow certain images to be shown to specific, logged in users. I am using Paperclip for image processing now, but it saves all images in a public folder available to anyone.
Note that I don't have to use Paperclip if there is a better way, and I already have the login system in place. I just need a way to place the images in a non-public location, but still be able to serve them as needed.
Is it possible to only allow these images to be served to authenticated users?
Here you can find how to change the path of the uploaded pictures. If you have done this. You need to create a controller which serves these static files.
For Example: Paperclip sample app part 2: downloading files through a controller
Is it possible to only allow these
images to be served to authenticated
users?
Yes, you just need to check if the user is logged in in the controller action responsible for the image.