Securing Carrierwave uploaded files

want to make sure that ONLY users that are logged in can view/download files uploaded from carrierwave.

How is this done?

Moved store directory from public to RAILS_ROOT, created 开发者_StackOverflowroute to show and download.

Problem is if its an image, <%= image_tag(photo.image_url) %> I get the full path /Users/myname/projects/appname/files/image/id/image.png, so that doesn't render.

Also, would be nice if view would not render my absolute path, just relative path from site.

This is actually a really easy thing to do. Here's a blog that talks about sendfile and x-sendfile. This should send you in the right direction.

http://www.therailsway.com/2009/2/22/file-downloads-done-right

Here is the rails docs for it.

http://api.rubyonrails.org/classes/ActionController/Streaming.html#method-i-send_file

Since this is all handled at the controller level, just make sure you have a before_filter that checks if the user is authorized, then use the send_file method in your controller action.