I have a website where users can upload images and set the privacy setting per image to "public-visible", "member-visible", or "friends-visible". When an image is set to "member-visible" all non logged in users see some "forbidden, sign up" image instead. When it is "friend-visible" all non friends see the "forbidden" one.
What is the best (in terms of resource-friendliest/fastest) way to achieve this?
At the moment I have a generic link to an image resource in my html like <img src="/images?image_id=1234"> for both logged in and non logged in users.
My /image is a script that looks up the current user (via cookie) and the image metadata (via image_id) in the database, compares the access rights of the user and sends then the actual image or the "forbidden" image. Problem here: the script is called every time when an image is loaded and produces some overhead I want to avoid.
I would like to have all images to be static on the server and called by some kind of static hash URL. This way no bloated script has to be fired every time. But I also want to prevent users from copying that static image link and send it to other (non logged in) users (no security by obscurity!). Another issue is that I need to make sure only friends can see "friends-visible" images.
What are your experiences with this? Any ideas welcome!
PS: I am using Ruby on Rails, Mysql, Apache, Redis, but generic solutions are welcome, this is why I did not add technology related tags.
