Rails Secure Download

I am building an rails app and I want to secure the user's downloads.

The scenario is: There is an item with a download column of "/some_directories/some_file.zip".

A user buys the file, goes to "My downloads" page and clicks "Download". The download button is checking if the us开发者_如何学JAVAer really bought the file, and if he did it is sending the data of the download column of the item. All is good. Now, the user will see where the download came from (example.com/some_directories/some_file.zip) and just send the URL to his friends. My question is, how can I prevent this situation? How can I let only the customers of the item download this file, no matter what?

Thank you very much

Adam

Another popular way of handling this in a scalable way that doesn't tie up your Rails processes is to use Amazon S3 and generate a URL that is only valid for a short period of time (e.g. 3 minutes).

It doesn't rule out the possibility of someone sending the URL to another friend to be accessed immediately, but then again, if they're downloading something they can just send it to their friend later too. The idea here is that it prevents someone from posting the URL on a forum somewhere for people to access for years to come.

S3 Documentation for time-limited query-string authentication.

I ran into the same issue as you. My solution was to store the file in a database via Paperclip and restrict access that way with authlogic and declarative_authorization. Works like a charm!

https://github.com/patshaughnessy/paperclip - version of paperclip that allows database file storage.