Rails Paperclip S3 隐藏附件的 url
Rails Paperclip S3 hide url of attached file
我正在使用回形针将文件直接上传到 Aws s3(遵循本指南:https://devcenter.heroku.com/articles/paperclip-s3)。
如下所示,用户可以使用 "attachment.file.url" 方法在浏览器中查看文件。向用户显示 s3 url 是否存在安全漏洞?如果是这样,有没有办法隐藏此 url 而无需先将文件流式传输到应用程序或 "download_file" 控制器操作?
production.rb
Rails.application.configure do
config.paperclip_defaults = {
storage: :s3,
s3_credentials: {
bucket: ENV.fetch('S3_BUCKET_NAME'),
access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY'),
s3_region: ENV.fetch('AWS_REGION'),
}
}
end
attachment.rb
class Attachment < ActiveRecord::Base
belongs_to :upload, polymorphic: true
has_attached_file :file
validates_attachment :file, content_type: { content_type: ["image/jpeg", "image/gif", "image/png", "application/pdf", "application/vnd.ms-excel",
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
"application/msword",
"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"text/plain"] }
end
查看
<h5>File Uploads</h5>
<ul>
<% @attachments.each do |attachment| %>
<li>
<%= link_to attachment.file_file_name, attachment.file.url, :target => '_blank' %>
</li>
<% end %>
</ul>
<%= link_to "Add Files", new_attachment_path(:upload_type => 'Team'), class: "btn btn-md" %>
S3 URL 对任何可以使用开发工具的人都是可见的,因此暴露它不是安全漏洞。有些人会争辩说这是糟糕的用户体验,但那是另一个时间的讨论。
我正在使用回形针将文件直接上传到 Aws s3(遵循本指南:https://devcenter.heroku.com/articles/paperclip-s3)。
如下所示,用户可以使用 "attachment.file.url" 方法在浏览器中查看文件。向用户显示 s3 url 是否存在安全漏洞?如果是这样,有没有办法隐藏此 url 而无需先将文件流式传输到应用程序或 "download_file" 控制器操作?
production.rb
Rails.application.configure do
config.paperclip_defaults = {
storage: :s3,
s3_credentials: {
bucket: ENV.fetch('S3_BUCKET_NAME'),
access_key_id: ENV.fetch('AWS_ACCESS_KEY_ID'),
secret_access_key: ENV.fetch('AWS_SECRET_ACCESS_KEY'),
s3_region: ENV.fetch('AWS_REGION'),
}
}
end
attachment.rb
class Attachment < ActiveRecord::Base
belongs_to :upload, polymorphic: true
has_attached_file :file
validates_attachment :file, content_type: { content_type: ["image/jpeg", "image/gif", "image/png", "application/pdf", "application/vnd.ms-excel",
"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
"application/msword",
"application/vnd.openxmlformats-officedocument.wordprocessingml.document",
"text/plain"] }
end
查看
<h5>File Uploads</h5>
<ul>
<% @attachments.each do |attachment| %>
<li>
<%= link_to attachment.file_file_name, attachment.file.url, :target => '_blank' %>
</li>
<% end %>
</ul>
<%= link_to "Add Files", new_attachment_path(:upload_type => 'Team'), class: "btn btn-md" %>
S3 URL 对任何可以使用开发工具的人都是可见的,因此暴露它不是安全漏洞。有些人会争辩说这是糟糕的用户体验,但那是另一个时间的讨论。