在Rails应用程序中限制对图像的访问 [英] Restrict access to images in Rails app
问题描述
我有rails项目。在我的项目中,我在服务器上加载图像(rails 3 + paperclip + devise + cancan)。我想限制对文件的访问(例如,原始图像只能由管理员查看)。我应该怎么做?
I have rails project. In my project I load images on server (rails 3 + paperclip + devise + cancan). I want to limit access to files (for example, the original image can be viewed only by the administrator). How should I do it?
推荐答案
如果您要限制数据库中的属性,那么一种方法是提供图像通过控制器。它不是最高效的,但它是安全的。
If you are limiting by an attribute in your database then one way would be to serve the image via a controller. It's not the most performant but it is secure.
我没有试过这个,但是如果你从像
I haven't tried this out, but if you were serving the image from a URL like
/images/picture_of_mickey_mouse.png
然后你可以创建一个路线你的应用程序使用文件名属性响应 / images
并通过控制器提供所有这些图像。
then you could create a route in your app that responds to /images
with a filename attribute and serve all those images through a controller.
例如
class ImagesController < ApplicationController
before_filter :authenticate_admin!, :only => [:show]
def show
send_file "/images/#{params[:filename]}", :disposition => 'inline'
end
end
您可能希望确保消毒然而, params [:filename]
,否则用户就可以下载服务器上的任何文件了!
You would want to make sure you sanitize the params[:filename]
however, otherwise the user would be able to download any file on your server!
send_file
上的文档位于: http:/ /apidock.com/rails/ActionController/DataStreaming/send_file
这篇关于在Rails应用程序中限制对图像的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!