Mojolicious Lite: restrict access to static files.
135 views
Skip to first unread message
Ivan Martynow
Jun 15, 2014, 6:32:20 AM6/15/14
to mojol...@googlegroups.com
Hi guys!
I have the following problem:
My dynamically generated gallery page is protected with session-based authentication system. So, Mojo won't render gallery page until user enters valid login and password. When user is authorized, he gains access to a page with image thumbnails and he can click an image to get the full size. And here starts a thing I dont understand fully: if a user copy URLof big image, he'd be able to enter it to browser and thus bypass authentication!
Are there any ways which could help to avoid it?
I have the following problem:
My dynamically generated gallery page is protected with session-based authentication system. So, Mojo won't render gallery page until user enters valid login and password. When user is authorized, he gains access to a page with image thumbnails and he can click an image to get the full size. And here starts a thing I dont understand fully: if a user copy URLof big image, he'd be able to enter it to browser and thus bypass authentication!
Are there any ways which could help to avoid it?
Daniel Vinciguerra
Jun 15, 2014, 8:23:26 AM6/15/14
to mojolicious
You can use a route to render image instead of use the real image file path, for example.
At route you can check user authentication and open static file... if user is not authenticated you can show another image regarding unauthenticated user status.
Its can help you, I guess..
best,
At route you can check user authentication and open static file... if user is not authenticated you can show another image regarding unauthenticated user status.
Its can help you, I guess..
best,
Ivan Martynow
Jun 15, 2014, 10:39:34 AM6/15/14
to mojol...@googlegroups.com
And could you please help me to write a route for such a situation? Let's say full versions of pics are stored in /images/big/foldername/file.jpg. I'm writing something like this:
get 'qr!/images/big/.*/(.*\.jpg)!i' => sub {
my $self = shift;
$self->stash(pic => $1); #it's a value passed through stash for <img src="<%=$pic%>"> tag.
$self->render('gallery_big');
};
get 'qr!/images/big/.*/(.*\.jpg)!i' => sub {
my $self = shift;
$self->stash(pic => $1); #it's a value passed through stash for <img src="<%=$pic%>"> tag.
$self->render('gallery_big');
};
but it doesn't seem to work: pictures are still given back as static files.
Sorry for dumb questions, but I'm totally new frameworking.
Sorry for dumb questions, but I'm totally new frameworking.
--
You received this message because you are subscribed to a topic in the Google Groups "Mojolicious" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mojolicious/oOH_w54TLf4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mojolicious...@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at http://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
Luc Didry
Jun 15, 2014, 10:55:31 AM6/15/14
to mojol...@googlegroups.com
On 15/06/2014 16:39, Ivan Martynow wrote:
> And could you please help me to write a route for such a situation? Let's
> say full versions of pics are stored in /images/big/foldername/file.jpg.
> I'm writing something like this:
> get 'qr!/images/big/.*/(.*\.jpg)!i' => sub {
> my $self = shift;
> $self->stash(pic => $1); #it's a value passed through stash for <img
> src="<%=$pic%>"> tag.
> $self->render('gallery_big');
> };
> but it doesn't seem to work: pictures are still given back as static files.
> Sorry for dumb questions, but I'm totally new frameworking.
>
>
> 2014-06-15 16:23 GMT+04:00 Daniel Vinciguerra <dan.vin...@gmail.com>:
>
>> You can use a route to render image instead of use the real image file
>> path, for example.
>>
>> At route you can check user authentication and open static file... if user
>> is not authenticated you can show another image regarding unauthenticated
>> user status.
>>
>>
>> Its can help you, I guess..
>>
>> best,
>>
You can store your images in a path which is not in the public directory
> And could you please help me to write a route for such a situation? Let's
> say full versions of pics are stored in /images/big/foldername/file.jpg.
> I'm writing something like this:
> get 'qr!/images/big/.*/(.*\.jpg)!i' => sub {
> my $self = shift;
> $self->stash(pic => $1); #it's a value passed through stash for <img
> src="<%=$pic%>"> tag.
> $self->render('gallery_big');
> };
> but it doesn't seem to work: pictures are still given back as static files.
> Sorry for dumb questions, but I'm totally new frameworking.
>
>
> 2014-06-15 16:23 GMT+04:00 Daniel Vinciguerra <dan.vin...@gmail.com>:
>
>> You can use a route to render image instead of use the real image file
>> path, for example.
>>
>> At route you can check user authentication and open static file... if user
>> is not authenticated you can show another image regarding unauthenticated
>> user status.
>>
>>
>> Its can help you, I guess..
>>
>> best,
>>
and render the images with Mojolicious::Plugin::RenderFile
(https://github.com/koorchik/Mojolicious-Plugin-RenderFile)
Hope this will help.
--
Luc
http://www.fiat-tux.fr/
Internet n'est pas compliqué, Internet est ce que vous en faites.
Ivan Martynow
Jun 15, 2014, 11:01:18 AM6/15/14
to mojol...@googlegroups.com
I'll try, thanks!
Daniel Vinciguerra
Jun 15, 2014, 1:43:31 PM6/15/14
to mojolicious
other example...
https://github.com/dvinciguerra/perlsnippets/blob/master/mojolicious/image-route/index.pl
https://github.com/dvinciguerra/perlsnippets/blob/master/mojolicious/image-route/index.pl
Daniel Vinciguerra (@dvinciguerra)
Web solution architect, perl dev, vegetarian, geek and co-founder at Bivee
bivee.com.br - github.com/Bivee
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages