限制系统文件访问公共

时间:2014-01-16 17:19:33

标签: ruby-on-rails ruby ruby-on-rails-3 activerecord

Ruby on Rails 3.2 我的应用程序将图像存储在:

http://name.name.com/system/images/imgs/xxx/xxx/xxx/thumb/xxx.jpg?xxxxxxxxx

我注意到你可以在没有登录时访问这些文件。我尝试在我的控制器中执行before_filter但是当我查看日志时没有查询,并且它没有使用控制器。

如何将对系统文件的访问权限仅限于我网站上的用户并登录?谢谢,

1 个答案:

答案 0 :(得分:1)

您需要从$ RAILS_ROOT / public文件夹中删除文件并将其移动到其他位置,例如$ SHARED_FOLDER /上传/.

然后创建指向控制器的路线:

class FilesController
  def show
    # first check credentials
    path = ... # use params to look up the path, but be careful to check the
               # validity!
               # It's probably best to have an index that contains valid files
               # and to only return those. Otherwise an attacker might be able
               # to compromise your server and your data.
    send_file path
  end
end