安全地显示使用回形针宝石上传的图像 [英] Securely Display an Image Uploaded with paperclip gem
问题描述
默认情况下:回形针 gem 将所有附件存储在公共目录中.
By Default: the paperclip gem stores all attachments within the public directory.
出于安全原因,我不想将附件存储在公共目录中,因此我将它们保存在应用根目录的 uploads 目录中:
I did not want to store the attachments within the public directory for security reasons, so I saved them within an uploads directory at the root of the app:
class Post < ActiveRecord::Base
belongs_to :user
has_attached_file :some_image, path: ":rails_root/uploads/:attachment/:id/:style/:filename"
do_not_validate_attachment_file_type :some_image
end
我没有指定 url 选项,因为我不想要每个图像附件的 url.如果指定了 url:那么任何拥有该 url 的人都可以访问该图像.这是不安全的.
I did not specify the url option because I do not want a url for each image attachment. If a url is specified: then ANYONE with that url can access the image. This is not secure.
在 user#show 页面中:我想实际显示图像.如果我使用所有回形针默认值,那么我可以这样做,因为图像将在公共目录中,而图像将有一个网址:
In the user#show page: I want to actually display the image. If I were using all of the paperclip defaults then I could just do this because the image would be within the public directory and the image would have a url:
<p>
<strong>Some image:</strong>
<%= image_tag @post.some_image %>
</p>
看来,如果我将图像附件保存在公共目录之外并且不指定 url(再次:这样做是为了保护图像),那么图像将不会在视图中呈现.
It appears that if I save the image attachments outside the public directory and do not specify a url (again: doing this to secure the image), then the image will not render in the view.
我知道如何通过 pundit gem 在整个应用程序中进行授权.但是,当该图像可公开访问时,对图像进行授权是无用的.因此,我尝试通过删除 url 并将图像保存在公共目录之外来使图像不可公开访问,但随后图像不再呈现在视图中.
I am aware of how to authorize throughout an application via the pundit gem. However, authorizing for an image is useless when that image is publicly accessible. So I attempt to make the image not publicly accessible by removing the url and saving the image outside the public directory, but then the image no longer renders in the view.
更新:我的问题实际上归结为:我的图像保存在我的 rails 应用程序中.使用回形针:有没有办法在视图中安全地显示图像?换句话说:使图像没有自己单独的 url(因为任何拥有该 url 的人都可以访问该图像,从而使该图像不安全).以下是我所说的安全显示图像的一些示例:
Update: My question really boils down to this: My images are saved within my rails application. With paperclip: is there any way to securely display an image in the view? In other words: Make it so that the image does not have its own separate url (because ANYONE with that url can access that image, making that image not secure). Here are some examples of what I mean by securely displaying the image:
- 示例 1:仅在用户登录时显示图像.(图像没有自己单独的 url,因此没有其他方法可以访问图像)
- 示例 2:仅当用户与此图像相关联时才显示该图像.(图片没有自己单独的网址,所以没有其他方法可以访问图片)
附加更新:我知道我可以安全地发送带有 send_file 的文件,它允许用户下载图像,但这不是我想要做的这里.我不希望用户下载图像.相反:我希望用户能够实际看到网页上的图像.我想安全地显示/渲染页面上的图像.使用 send_file (据我所知)允许用户下载文件.它不会在页面上呈现图像.
Additional Update: I am aware that I can securely send a file with send_filewhich allows the user to download the image, but that is not what I want to do here. I do not want the user to download the image. Instead: I want the user to be able to actually see the image on the webpage. I want to securely show/render the image on the page. Using send_file (as I understand it) allows the user to download the file. It does not render the image on the page.
推荐答案
你可以使用 send_file.假设您的路线中有 secure_image 操作:
resources :posts do
member do
get :secure_image
end
end
以及相应控制器中的以下方法:
and following method in corresponding controller:
def secure_image
send_file Post.find(params[:id]).some_image.path
end
您可以在视图中使用受保护的图像:
you can use protected images in your views:
<%= image_tag secure_image_post_path(@post) %>
这里发生了什么:通常 Rails(或 nginx 或 apache)发送静态文件直接绕过安全检查以提高速度.但是对 secure_image 操作的请求会贯穿整个 Rails 堆栈,因此它受到您的身份验证系统的保护.
What's happening here: usually Rails (or nginx or apache) sends static files directly bypassing security checks in sake of speed. But request for secure_image action goes through whole Rails' stack, so it is protected with your authentication system.
这篇关于安全地显示使用回形针宝石上传的图像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
