ruby-on-rails – 使用设计安全存储

前端之家收集整理的这篇文章主要介绍了ruby-on-rails – 使用设计安全存储前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
使用devise gem验证应用程序的所有用户.
我正在尝试实现Active Storage.

假设所有用户一旦到达应用程序就必须进行身份验证:

class ApplicationController < ActionController::Base
  before_action :authenticate_user!

...
end

如何保护Active Storage生成的路由?

无需先进行身份验证即可访问上载文件的URL.未经身份验证的用户可以获取Active Storage生成文件URL.

解决方法

这不是一个完整的答案,而是一个起点:

要点:您需要覆盖重定向控制器.

docs for activestorage/app/controllers/active_storage/blobs_controller.rb说:

If you need to enforce access protection beyond the
security-through-obscurity factor of the signed blob references,
you’ll need to implement your own authenticated redirection
controller.

此外,如果您计划使用预览docs for activestorage/app/models/active_storage/blob/representable.rb

Active Storage provides one [controller action for previews],but you may want to create your own (for
example,if you need authentication).

您也可以在this rails github issue找到一些相关信息

更新:
这是一个最小的例子,“应该”用于防止在使用设计gem时未经授权访问重定向.

如果记录了用户将被重定向到的URL如何被保护,我猜是另一个故事.默认情况下,它们会在5分钟后过期,但可以将其设置为较短的时间段,例如10秒(如果您使用expires_in 10.seconds替换下面示例中的第6行)

使用以下代码创建文件app / controllers / active_storage / blobs_controller.rb:

class ActiveStorage::BlobsController < ActiveStorage::BaseController
  before_action :authenticate_user!
  include ActiveStorage::SetBlob

  def show
    expires_in ActiveStorage::Blob.service.url_expires_in
    redirect_to @blob.service_url(disposition: params[:disposition])
  end
end

请注意,original code唯一改变的是添加了第二行

before_action :authenticate_user!

更新2:

以下是您可以在ActiveStorage :: RepresentationsController和ActiveStorage :: BlobsController中包含的问题,以便为ActiveStorage启用设计身份验证

见gist是在https://gist.github.com/dommmel/4e41b204b97238e9aaf35939ae8e1666包括在这里:

# Rails controller concern to enable Devise authentication for ActiveStorage.
# Put it in +app/controllers/concerns/blob_authenticatable.rb+ and include it when overriding
# +ActiveStorage::BlobsController+ and +ActiveStorage::RepresentationsController+.
# 
# Optional configuration:
# 
# Set the model that includes devise's database_authenticatable.
# Defaults to Devise.default_scope which defaults to the first
# devise role declared in your routes (usually :user)
#
#   blob_authenticatable resource: :admin
#   
# To specify how to determine if the current_user is allowed to access the 
# blob,override the can_access_blob? method
#   
# Minimal example:
# 
#   class ActiveStorage::BlobsController < ActiveStorage::BaseController
#     include ActiveStorage::SetBlob
#     include AdminOrUserAuthenticatable
#     
#     def show
#       expires_in ActiveStorage::Blob.service.url_expires_in
#       redirect_to @blob.service_url(disposition: params[:disposition])
#     end
#   end
# 
# Complete example:
# 
#   class ActiveStorage::RepresentationsController < ActiveStorage::BaseController
#     include ActiveStorage::SetBlob
#     include AdminOrUserAuthenticatable
# 
#     blob_authenticatable resource: :admin
#
#     def show
#       expires_in ActiveStorage::Blob.service.url_expires_in
#       redirect_to @blob.representation(params[:variation_key]).processed.service_url(disposition: params[:disposition])
#     end
#     
#     private
#
#       def can_access_blob?(current_user)
#         @blob.attachments.map(&:record).all? { |record| record.user == current_user }
#       end
#   end

module BlobAuthenticatable
  extend ActiveSupport::Concern

  included do
    around_action :wrap_in_authentication
  end

  module ClassMethods
    def auth_resource
      @auth_resource || Devise.default_scope
    end

    private

      def blob_authenticatable(resource:)
        @auth_resource = resource
      end
  end

  private

    def wrap_in_authentication
      is_signed_in_and_authorized = send("#{self.class.auth_resource}_signed_in?") \
        & can_access_blob?(send("current_#{self.class.auth_resource}"))

      if is_signed_in_and_authorized
        yield
      else
        head :unauthorized
      end
    end

    def can_access_blob?(_user)
      true
    end
end

猜你在找的Ruby相关文章