carrierwave upload caching

Question

How does carrierwave upload caching functionality work? From what I've read, it looks like it keeps the uploaded file in public/uploads/tmp to avoid reupload across form redisplays. I am guessing the cache would get assigned a unique id, but still be publicly accessible. How to make it more secure for sensitive uploads or disable this feature altogether?

One way to avoid this is to have the uploader as a separate model from the target model, such that validation errors won't require reuploading.

Answer 1

CarrierWave keeps uploaded images in a cache dir so you can easily re-submit forms in case of validation errors without forcing your users to re-upload images. The cache dir in default is public/uploads/tmp but you can change it by setting the cache_dir configuration parameter.

Usually uploaded images are available for download without authentication. Therefore, placing uploaded and cached files in a public directory is fine. You can also change your uploader class to have a filename method that generates a unique random ID to make it less guessable.

By the way, this blog post describes how to integrate CarrierWave while storing and transforming images in the cloud and delivering through a CDN.