RoR Upload File Security Question

I have a question regarding Ruby on Rails. I'm currently use a gem called Paperclip to allow me to upload files.

My question is the files uploaded go into the /public which is easily accessed from anyone. How do I go about hiding the files uploaded? And only allowing the correct user to download the file?

I'm not interested in hiding a link from someone. But am interested i开发者_如何学运维n the fact that someone must be logged in, to download the file.

Thanks.

Edit -- http://rdoc.info/github/thoughtbot/paperclip/master/Paperclip/Storage/Filesystem

I still don't get how I'm to secure the files in the backend?

You can handle this security problem by many ways.

Here is the one I propose to you.

1. You upload you files using Paperclip. The files will be stored into a directory on which your deny the access from the browser.

2. During the upload, you will store the information of the file into a table on your database server.

3. You will create a Controller to List and Download your files. You could check if a user can access or download the file by checking his rights.

4. When you would like to start a download, you will use send_file to force the download and by hidden the real path of the file.

   Example :

   @filename ="#{RAILS_ROOT}/public/dir/a/b/file.mp3"
   send_file(@filename, :filename => "music.mp3")
   

Hope this help !