335 Secure storage of file attachments [2d]

Posted Over 8 years ago. Visible to the public.

Goals

  • Learn to store attachments in a way that is accessible by authorized users only
  • Learn to prevent users from uploading malicious content

Resources

Exercise

Add the following feature to MovieDB:

  • Actors have a contract document
  • Only users with an admin role are allowed to upload or download contract documents
  • It should be impossible for an unauthorized user to access a contract document, e.g. by guessing the download URL

Create two implementations of this requirement:

  1. Contracts are saved to RAILS_ROOT/public/system, but including a non-guessable secret in their path
  2. Contracts are saved to RAILS_ROOT/storage and can only be downloaded through a controller action that checks authorization

Discuss the pros and cons of both implementation with your mentor. In particular:

  • How much load does each implementation cause on the server?
  • Can you withdraw access permissions from someone who used to have them?

Hint

If you use the be_format Show archive.org snapshot matcher in your tests, you might first need to adjust your GhostScript configuration.
Don't forget to add storage as a "linked_dir" in your config/deploy.rb Show archive.org snapshot

Henning Koch
Last edit
About 1 month ago
Michael Leimstädtner
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra Curriculum (2015-08-20 15:10)