Posted almost 3 years ago. Visible to the public.

Secure storage of file attachments

Read Deliver Paperclip attachments to authorized users only

Add the following feature to MovieDB:

  • Actors have a contract document
  • Only users with an admin role are allowed to upload or download contract documents
  • It should be impossible for an unauthorized user to access a contract document, e.g. by guessing the download URL

Create two implementations of this requirement:

  1. Contracts are saved to RAILS_ROOT/public/system, but including a non-guessable secret in their path
  2. Contracts are saved to RAILS_ROOT/storage and can only be downloaded through a controller action that checks authorization

Discuss the pros and cons of both implementation with your mentor. In particular:

  • How much load does each implementation cause on the server?
  • Can you withdraw access permissions from someone who used to have them?

Author of this card:

Avatar
Henning Koch
Last edit:
over 1 year ago
by Natalie Krehan
Posted by Henning Koch to makandra Curriculum
This website uses cookies to improve usability and analyze traffic.
Accept or learn more