Rails回形针S3隐藏附加文件的url

Question

I am using paperclip to upload files directly to Aws s3 (following this guide: https://devcenter.heroku.com/articles/paperclip-s3 ).

As shown below, a user can view a file in their browser using the "attachment.file.url" method. Is it a security vulnerability to display the s3 url to a user? If so, is there a way to hide this url without streaming the file to the app first or a "download_file" controller action?

production.rb

Rails.application.configure do
  config.paperclip_defaults = {
    storage: :s3,
    s3_credentials: {
      bucket: ENV.fetch('S3_BUCKET_NAME'),
      access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
      secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY'),
      s3_region: ENV.fetch('AWS_REGION'),
    }
  }
end

attachment.rb

class Attachment < ActiveRecord::Base
  belongs_to :upload, polymorphic: true

  has_attached_file :file
  validates_attachment :file, content_type: { content_type: ["image/jpeg", "image/gif", "image/png", "application/pdf", "application/vnd.ms-excel",     
             "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
             "application/msword", 
             "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 
             "text/plain"] }
end

view

<h5>File Uploads</h5>
  <ul>
    <% @attachments.each do |attachment| %>
      <li>
        <%= link_to attachment.file_file_name, attachment.file.url, :target => '_blank' %> 
      </li>
    <% end %>
  </ul>
  <%= link_to "Add Files", new_attachment_path(:upload_type => 'Team'), class: "btn btn-md" %>

Answer 1

The S3 URL will be visible to anyone who can use dev tools anyway so exposing it is not a security vulnerability. Some would argue it is bad UX but that is a discussion for another time.