[英]secure upload/download file with carrierwave gem rails4
Authenticate user can download and upload file , this is the main purpose of my project.I want to secure my file downloads, so that only authenticate user can download file. 验证用户可以下载和上传文件,这是我项目的主要目的。我想保护我的文件下载,这样只有验证用户才能下载文件。 For this, I use gem carrierwave
and carrierwave/wiki "How To: Secure Upload" . 为此,我使用gem carrierwave
和carrierwave / wiki “如何:安全上传” 。 But when I click my download url , its says "HTTP/1.1 500 Internal Server Error" 但当我点击我的下载URL时,它显示“HTTP / 1.1 500内部服务器错误”
Here is addfiles_controller.rb file: 这是addfiles_controller.rb文件:
class AddfilesController < ApplicationController
before_action :logged_in
def index
@addfiles = Addfile.all
end
def new
@addfile = Addfile.new
end
def create
if admin_signed_in?
@addfile = current_admin.addfiles.build(addfile_params)
else
@addfile = current_user.addfiles.build(addfile_params)
end
if @addfile.save
redirect_to addfiles_path
else
render "new"
end
end
def destroy
@addfile = Addfile.find(params[:id])
@addfile.destroy
redirect_to addfiles_path
end
def download
path = "/#{addfile.addfile}"
send_file path, :x_sendfile=>true
end
private
def addfile_params
params.require(:addfile).permit(:name, :attachment)
end
end
config/initializers/carrierwave.rb file: config / initializers / carrierwave.rb文件:
CarrierWave.configure do |config|
# These permissions will make dir and files available only to the user running
# the servers
config.permissions = 0600
config.directory_permissions = 0700
config.storage = :file
# This avoids uploaded files from saving to public/ and so
# they will not be available for public (non-authenticated) downloading
config.root = Rails.root
end
routes.rb file: routes.rb文件:
FileDownload::Application.routes.draw do
match "/uploads/:id/:basename.:extension", :controller => "addfiles", :action => "download", via: :get
resources :addfiles do
collection do
get 'all_users'
end
end
root "addfiles#index"
devise_for :admins
devise_for :users
end
in my views: 在我看来:
<%= link_to File.basename(file.attachment_url), "/uploads/#{file.id}/#{File.basename(file.attachment_url)}" %>
attachment_uploader.rb file attachment_uploader.rb文件
class AttachmentUploader < CarrierWave::Uploader::Base
storage :file
def store_dir
"uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
end
def extension_white_list
%w(pdf doc htm html docx)
end
end
Error Trace:: 错误跟踪::
Started GET "/uploads/13/ARTICLE_FINAL_.pdf" for 127.0.0.1 at 2014-09-04 14:39:53 +0600
Processing by AddfilesController#download as */*
Parameters: {"id"=>"13", "basename"=>"ARTICLE_FINAL_", "extension"=>"pdf"}
←[1m←[36mUser Load (0.0ms)←[0m ←[1mSELECT "users".* FROM "users" WHERE "users"."id" = 1 ORDER BY "users"."id" ASC LIMIT 1←[0m
Completed 500 Internal Server Error in 4ms
NameError (undefined local variable or method `addfile' for #<AddfilesController:0x46baa10>):
app/controllers/addfiles_controller.rb:37:in `download'
Rendered C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/actionpack-4.0.4/lib/action_dispatch/middleware/templates/rescues/_source.erb (0.0ms)
Rendered C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/actionpack-4.0.4/lib/action_dispatch/middleware/templates/rescues/_trace.erb (1.0ms)
Rendered C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/actionpack-4.0.4/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb (1.0ms)
Rendered C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/actionpack-4.0.4/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb within rescues/layout (47.0ms)
[2014-09-04 14:39:53] ERROR Errno::ECONNRESET: An existing connection was forcibly closed by the remote host.
C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/webrick/httpserver.rb:80:in `eof?'
C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/webrick/httpserver.rb:80:in `run'
C:/RailsInstaller/Ruby1.9.3/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread'
whats the problem here?? 这是什么问题? Please give me your suggestion. 请给我你的建议。
Try to change download method like this: 尝试更改下载方法:
addfiles_controller.rb: addfiles_controller.rb:
def download
send_file '#{Rails.root}/uploads/addfile/#{file.id}'
end
I was able to get this to work, similar to the same way you've setup and following the Carrerwave Wiki . 我能够让这个工作,类似于你设置和遵循Carrerwave Wiki的方式 。
I am also using Pundit so have some authorisation in for context. 我也在使用Pundit,因此在上下文中有一些授权。
class RecordsController < ApplicationController
before_action :set_record, only: :download
def download
authorize @record
send_file @record.file.path
#where file is the name of the mount_uploader from the Record class
end
private
def set_record
@record = Record.find(params[:id])
end
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.