Ruby on Rails, JRuby, AWS, EC2, Exalead - Protecting your Paperclip downloads Comments

Comment on 'Protecting your Paperclip downloads' by Rob Anderton

2010-03-20T09:08:53Z

You can use the :requirements option in routes.rb to allow (almost) any character in the params, for example:

map.connect 'tracks/:id/:style', 
  :controller => 'tracks', 
  :action => 'download', 
  :conditions => { :method => :get }, 
  :requirements => { :style => /.*/ }

Note that this means :format is no longer available as a parameter, so you'll have to manually split the :style yourself if necessary.

Using the above with a URL like /tracks/1/.sample.mp3 would set params to { :id => 1, :style => ".sample.mp3" }.

Comment on 'Protecting your Paperclip downloads' by Denton Vis

2010-03-19T15:22:34Z

thanks for the insightful post. But i am having a problem downloading files with names begin with a period. For example, a file with a name like '.bzr.log' would result in a Routing Error 'no route found'. Any ideas on how to remedy this?

Comment on 'Protecting your Paperclip downloads' by Yuval

2010-02-15T18:52:03Z

Blast from the past!

I've returned to this project, and decided to have a go at the variable url/path depending on whether you were requesting the original file or not. In my situation, I am protecting PDFs while making thumbnails etc publicly accessible. The following code is working well, using the same controller action and permissions as in the original article.

config/initializers/plugin_options.rb

Paperclip::Attachment.default_options.merge!(
  :url => '/system/:class/:attachment/:id/:style/:filename',
  :path => ':rails_root/public:url')

Paperclip.interpolates :variable_url do |attachment, style|
  style == :original ? '/pdfs/:id' : Paperclip::Attachment.default_options[:url]
end

Paperclip.interpolates :variable_path do |attachment, style|
  style == :original ? ':rails_root/assets/:class/:id/:filename' : Paperclip::Attachment.default_options[:path]
end

/models/product.rb

has_attached_file :image,
    :styles => {:thumb => ['300>', :jpg], :large => ['620>', :jpg]},
    :default_style => :large,
    :url => ':variable_url',
    :path => ':variable_path'

/config/routes.rb

map.original_pdf 'pdfs/:id', :controller => 'admin/products', :action => 'original_pdf'

Then on the admin page view I am using the following to show a thumbnail and link to the protected PDF:

<%= link_to image_tag(product.image.url(:thumb)), product.image.url(:original) %>

Comment on 'Protecting your Paperclip downloads' by Rob Anderton

2010-01-13T10:42:29Z

@Yuval: good idea. I think the tricky part is that Paperclip doesn't currently support per-style URLs. In the meantime you could maybe still route them through the download action and make the downloadable? check only happen if the style is :original.

Comment on 'Protecting your Paperclip downloads' by Yuval

2010-01-04T03:59:40Z

A great addition to this article would be a two tier approach, where the original asset is protected but its thumbnail/preview is publicly visible/accessible. Cheers.

Comment on 'Protecting your Paperclip downloads' by Rob Anderton

2009-12-06T23:14:41Z

@Georg: that's good news although it doesn't seem to allow for generating urls for different styles, or supporting https access, so might be worth submitting a patch for that.

@Laran: first thing to check is that the right url is being used for the redirect and also check that the uploaded files have the correct permissions (using an S3 file browser like s3fox for Firefox).

Comment on 'Protecting your Paperclip downloads' by Laran Evans

2009-12-03T20:55:32Z

Great tutorial. I've implemented the S3 approach for my attachment model. But when I click on the link to download my file from S3 I keep getting an AccessDenied error.

Any thoughts on how to resolve this?

Comment on 'Protecting your Paperclip downloads' by Georg Ledermann

2009-12-01T15:29:24Z

Regarding the authenticated_url: The latest Paperclip commit added the method "expired_url" which enables the feature out of the box.

Comment on 'Protecting your Paperclip downloads' by Hates_

2009-10-15T23:53:19Z

Brilliant write up! Just what I needed to get my Paperclip S3 stuff working how I wanted.

Comment on 'Protecting your Paperclip downloads' by Dave Mauldin

2009-09-24T16:49:41Z

I'm not actually going to use much of this article yet, but still feel compelled to leave a comment on how awesome this article is. Thanks a ton for taking the time to write this up. Amazing.

Comment on 'Protecting your Paperclip downloads' by Georg Ledermann

2009-09-23T12:14:39Z

Thanks for this article! Just a hint: Instead of writing a method "authenticated_url" in every model which uses Paperclip it's more DRY to monkey patch Paperclip like this:

http://gist.github.com/191937

Comment on 'Protecting your Paperclip downloads' by Rob Anderton

2009-09-11T16:04:46Z

@Trevor, Hakan & Yuval: glad you liked it!

@Thibaut: that's a good question, the answer depends on your storage method:

If you're using the file system storage module then you shouldn't need to do anything as Rails sets the Content-Disposition header to attachment when using the send_file method. Internet Explorer may still insist on showing the file inline though, so you could also use a bit of brute force and set the Content-Type header to application/octet-stream in the controller:
```
send_file_options = { :type => 'application/octet-stream' }
```
If you were feeling clever you could of course use a bit of simple browser sniffing to return the correct Content-Type for intelligent browsers and the application/octet-stream header for IE.

If you're using the S3 storage module then you need to add the s3_headers option to your has_attached_file definition in your models:

has_attached_file :mp3,
                  :url => ':s3_domain_url',
                  :path => 'assets/:class/:id/:style.:extension',
                  :storage => :s3,
                  :s3_credentials => File.join(Rails.root, 'config', 's3.yml'),
                  :s3_permissions => 'authenticated-read',
                  :s3_protocol => 'http',
                  :s3_headers => { :content_disposition => 'attachment' }

When the controller redirects to the S3 URL, Amazon will send the header you specify here, forcing the download. As with file system storage you can also force the Content-Type header using this method, although you won't be able to use any kind of browser sniffing to select content type based on the user's browser:

has_attached_file :mp3,
                  :url => ':s3_domain_url',
                  :path => 'assets/:class/:id/:style.:extension',
                  :storage => :s3,
                  :s3_credentials => File.join(Rails.root, 'config', 's3.yml'),
                  :s3_permissions => 'authenticated-read',
                  :s3_protocol => 'http',
                  :s3_headers => { :content_type => 'application/octet-stream', :content_disposition => 'attachment' }

Comment on 'Protecting your Paperclip downloads' by Thibaut Assus

2009-09-11T09:06:49Z

Cool, But there is a problem here : It is not a send_data, so the user get the file directly in his browser... How could I change that for the user to have a Force-Download file ? Thank you !

Comment on 'Protecting your Paperclip downloads' by Yuval

2009-09-08T15:27:08Z

Holy crap. I stumbled upon this today while search for another paperclip question, and it's exactly what I was looking for last week. Thanks for saving me some hours!

Comment on 'Protecting your Paperclip downloads' by Hakan Ensari

2009-09-08T00:06:20Z

Awesome. Thanks.

Comment on 'Protecting your Paperclip downloads' by Trevor Turk

2009-09-01T16:59:46Z

Amazing write-up. Thanks very much!