4

How do I restrict any access to the :original styled files in S3 but keep access to the rest of the styles's folders in the bucket?

I saw implementations on how to limit all access and then check on attributes of a model. I just want to limit access to :original styles

I did notice this line in paperclip, I just don't know how to use (if possible)

Nick Ginanto
  • 31,090
  • 47
  • 134
  • 244

2 Answers2

1

You can limit the files by accessing the files through an action of a controller. This way you can control, which files a user can access and which not.

If you simply make a privat s3 bucket, this won't help you. As a user with a valid key can access any files in the bucket. If you have really file which needs to be protected, you have only view ways to do it (as I think):

  • Restrict access to the bucket and serve the files through an action of a controller (no real way to work around this)
  • Rename the specific files to be not easy to predict (e.g. 32 or more characters of numbers and letters). This is quit simple to achieve and you can still serve the files directly from s3
  • Save the files somewhere else (maybe in an other s3 bucket), so nobody can predict them

For renaming files you can use this stackoverflow question: Paperclip renaming files after they're saved

Community
  • 1
  • 1
Fa11enAngel
  • 4,690
  • 2
  • 39
  • 38
  • this won't help if the files are accessed directly via url – Nick Ginanto Dec 25 '12 at 19:17
  • You have to stop direct access, if you really want to control the access to your files. Do you use amazon s3? – Fa11enAngel Dec 26 '12 at 00:13
  • yea s3, forgot to add that to the question – Nick Ginanto Dec 26 '12 at 06:22
  • maybe this is a solution for you Nick – Fa11enAngel Jan 03 '13 at 14:41
  • The thing is the paperclip creates the :original folder on its own, and grants it public access. Changing the restriction via aws for every model is a pain and not going to work with new models created. I just want that the original image is either blocked, or as an alternative renamed so no one can predict it (ill do it something random) – Nick Ginanto Jan 03 '13 at 15:22
1

The answer I am looking for (I think, didn't test it yet) can be found here

http://rdoc.info/github/thoughtbot/paperclip/Paperclip/Storage/S3

s3_permissions: This is a String that should be one of the "canned" access policies that S3 provides (more information can be found here: docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAccessPolicy.html) The default for Paperclip is :public_read.
You can set permission on a per style bases by doing the following:
:s3_permissions => {
  :original => :private
}
Or globaly:
:s3_permissions => :private
Nick Ginanto
  • 31,090
  • 47
  • 134
  • 244