Rails - hide file url from users (rails 3.1 + carrierwave + google storage for developers)
-
06-12-2019 - |
Вопрос
I've built an application, deployed on heroku, that uses carrierwave to keep all uploaded files and I've set google storage for developers for keeping those files there.
Until here everything is working fine, but I would like to keep files showing private, ie. user must be authorized to view. In the development environment everything works very well.
In order to hide the file source url from users I took the following decisions:
initializers / carrierwave.rb
CarrierWave.configure do |config|
if Rails.env.production?
config.storage = :fog
config.fog_credentials = {
:provider => 'Google',
:google_storage_access_key_id => 'xxx',
:google_storage_secret_access_key => 'yyy'
}
config.fog_directory = 'wwww'
else
config.storage = :file
end
end
controller
This gets the file contents in order to hide its path and name from public eyes
def get_file
if Rails.env.production?
redirect_to URI.encode @media_asset.attachment_url
else
send_file ("public/"+@media_asset.attachment_url.to_s),
:type => @media_asset.attachment_content_type,
:length => @media_asset.attachment_file_size,
:status => "200 OK",
:x_sendfile => true,
:filename => "media_asset",
:disposition => 'inline'
end
end
apparently this would do the job, but using a normal browser developer tool, everybody would see the path to the google storage bucket and would be able to access all files.
Do you have a clue on how to resolve this issues, is it even possible to do with google storage for developers?
thanks in advance,
Решение
Do your users have Google accounts? If so, you can use the authenticated download mechanism:
https://developers.google.com/storage/docs/authentication#cookieauth
Другие советы
You can use the newly released Signed URLs feature (https://developers.google.com/storage/docs/accesscontrol#Signed-URLs) to do this in Google Cloud Storage.