How to store private pictures and videos in Ruby on Rails

Question

Here's a story:

• User A should be able to upload an image.
• User A should be able to set a privacy. ("Public" or "Private").
• User B should not be able to access "Private" images of User A.

I'm planning to user Paperclip for dealing with uploads.

If I store the images under "RAILS_ROOT/public/images", anyone who could guess the name of the files might access the files. (e.g., accessing http://example.com/public/images/uploads/john/family.png )

I need to show the images using img tags, so I cannot place a file except public.

How can I ensure that images of a user or group is not accessible by others?

(If I cannot achieve this with Paperclip, what is a good solution?)

Answer 1

You may make your rails server output the contents of image files. This is done via a controller action (most of actions print HTML, but this one will print JPG, for example).

Then you may use your authorization system to restrict access on controller level!

class ImagesController
  #Default show Image method streams the file contents.
  #File doesn't have to be in public/ dir
  def show
    send_file @image.filename, :type => @image.content_type,
              :disposition => 'inline'
  end

  # Use your favorite authorization system to restrict access
  filter_access_to :show, :require => :view, :attribute_check => :true
end

In HTML code you may use:

<img src="/images/show/5" />