335 Secure storage of file attachments [2d]

Updated . Posted . Visible to the public.

Goals

  • Learn to store attachments in a way that is accessible by authorized users only
  • Learn to prevent users from uploading malicious content

Resources

Exercise

Add the following feature to MovieDB:

  • Actors have a contract document
  • Only users with an admin role are allowed to upload or download contract documents
  • It should be impossible for an unauthorized user to access a contract document, e.g. by guessing the download URL

Create two implementations of this requirement:

  1. Contracts are saved to RAILS_ROOT/public/system, but including a non-guessable secret in their path
  2. Contracts are saved to RAILS_ROOT/storage and can only be downloaded through a controller action that checks authorization

Discuss the pros and cons of both implementation with your mentor. In particular:

  • How much load does each implementation cause on the server?
  • Can you withdraw access permissions from someone who used to have them?

Hint

Don't forget to add storage as a "linked_dir" in your config/deploy.rb Show archive.org snapshot

Profile picture of Henning Koch
Henning Koch
Last edit
Henning Koch
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra Curriculum (2015-08-20 15:10)