Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where to put private documents to use in Rails applications?

I have some template files I would like to use in my rails App. I was wondering where(under which directory) to put them given two scenarios:

  1. They are private to my application (Only webmaster can delete, change them)
  2. They are private to my application but also they can be managed by admins(deleted, modified)
like image 697
Ramon Araujo Avatar asked Feb 19 '12 22:02

Ramon Araujo


1 Answers

Update after comments

Since you want to serve the files locally, just put them outside of the /public/ folder and outside of any of the /assets/ folders and you should be good. You can read more about the public and assets folders here: Section 2 How to use the Asset Pipeline Let's say:

/private/

I believe Section 11 send_file also used in the SO question linked in my original answer below is still the way for you to provide access to files through a controller rather than statically. Adapted from the docs:

send_file("#{Rails.root}/private/#{filename}",
          :filename => "#{filename}",
          :type => "application/pdf", #for example if pdf
          :disposition => 'inline') #send inline instead of attachment

Original answer for remote serving together with send_file below

Regarding 1) files private to the application You can lock up these private files in a system like Amazon S3 that provides authorized access as Callmeed explains in this SO question. Then only your application will be able to authorize access to a file.

Regarding 2) also accessible to admins

The problem with just using part 1) is that it unlocks the files for a limited time period during which I assume they are publicly available. So if you want to get around that, I think you need to take the solution from Pavel Shved actually in the same SO question above.

In that solution, files are provided through a route/controller that provides the binary data of the file rather than using a URL that points to the file.

Combined solution

Read the file from S3 with only your application authorized to do that access (not opening it publicly). Then provide the data directly through the controller which can authorize whomever you want.

Caveats

  • Providing binary data directly from the controller seems like it would kill performance of the application if it is used often, but I've never tried it.
  • If you can find a more simple way to do part 1), part 2) will still work with that solution
like image 53
KobeJohn Avatar answered Oct 21 '22 18:10

KobeJohn