Rails - hide file url from users (rails 3.1 + carrierwave + google storage for developers)

StackOverflow https://stackoverflow.com/questions/9082095

Question

I've built an application, deployed on heroku, that uses carrierwave to keep all uploaded files and I've set google storage for developers for keeping those files there.

Until here everything is working fine, but I would like to keep files showing private, ie. user must be authorized to view. In the development environment everything works very well.

In order to hide the file source url from users I took the following decisions:

initializers / carrierwave.rb

CarrierWave.configure do |config|
  if Rails.env.production?
    config.storage = :fog
    config.fog_credentials = {
      :provider                         => 'Google',
      :google_storage_access_key_id     => 'xxx',
      :google_storage_secret_access_key => 'yyy'
    }
    config.fog_directory = 'wwww'
  else
    config.storage = :file
  end
end

controller

This gets the file contents in order to hide its path and name from public eyes

def get_file
  if Rails.env.production?
    redirect_to URI.encode @media_asset.attachment_url
  else
    send_file ("public/"+@media_asset.attachment_url.to_s), 
          :type => @media_asset.attachment_content_type,
          :length => @media_asset.attachment_file_size,
          :status => "200 OK",
          :x_sendfile => true,
          :filename => "media_asset",
          :disposition => 'inline'
  end
end

apparently this would do the job, but using a normal browser developer tool, everybody would see the path to the google storage bucket and would be able to access all files.

Do you have a clue on how to resolve this issues, is it even possible to do with google storage for developers?

thanks in advance,

Was it helpful?

Solution

Do your users have Google accounts? If so, you can use the authenticated download mechanism:

https://developers.google.com/storage/docs/authentication#cookieauth

OTHER TIPS

You can use the newly released Signed URLs feature (https://developers.google.com/storage/docs/accesscontrol#Signed-URLs) to do this in Google Cloud Storage.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top