Block direct download of image in rails - ruby

Now doing Image gallery in rails. I want to block the direct access of downloading image from web page.How do this thing?. I am using paperclip gem to upload image. Please Help me to resolve this problem.

The browser will need to have access to the image in order to display it; at some point something on the browser will have direct access to the image.
You can obfuscate how the image is retrieved, but that's basically the best you can do. You might be able to play minor games with the referrer.
Don't disable right-click; that's irritating.

You're basically looking for a login system, I assume. Make sure the image is served by a controller, not by nginx, or whatever is serving your statics. Given that you're using Paperclip, I assume this is already the case. So really you just need to check for a logged in user inside the controller, and return a 403 response or something if the user isn't logged in.

Related

I'm looking for an image sharing service

To explain it briefly, I'm trying to share the image as a URL.
But I need to update the image and I hope the URL doesn't change every time.
In other words, I am looking for a feature or site that can update images to the same URL.
I would appreciate it if you could let me know if there is a similar or the same service.
The way that comes to mind now is to add an image to the imgur and go out. We are looking for an alternative because the URL is the same, but it is a way to list images rather than just one image.

Lightbox2: Display other picture if named image is lost

I have a lot galleries displayed with Lightbox2 and it works fine.
Now I want to delete the larger version of the pictures, but keep the gallery with the thumbnails for visitors.
How can I manage, that lightbox2 displays an alternative image, if the given file in the html is not existing?
I couldn't find an option in lightbox.js to handle with missing targets.
I had the same question, but after a little research I decided that Lightbox2 is not the right place to handle missing images. Instead, that should be handled at the server or application level.
The web server will respond with a 404 error for any missing resource, whether a web page, image, or anything else. In most cases, it also returns a small HTML page to alert the user (such as this example at Google).
You can usually configure your server or application to return a default 404-style image instead of an HTML page if the requested resource was an image. That will then be displayed to the user instead of the broken image symbol.
How you do this of course depends on the particular server/application stack you are using, but here is a good solution for Apache.

images inside gmail email not being displayed

I know gmail and hotmail have introduced their own image proxies. I have sent email with simple img tag with src
src="http://www.zong360office.com/assets/images/logo/product-logo.png"
and gmail converts it like this
src="https://ci3.googleusercontent.com/proxy/PCxvUIqBvaJWn_7H8deiQhdJD1QKV_pU5n1JhrPh3xaXMLMzcdSBYCo6-tjs69AYy858H4j5ShIRjw0UrH_VWMtCxC0zIT-Gi4j_dlQv9uRZjzGWFWA=s0-d-e1-ft#http://www.zong360office.com/assets/images/logo/product-logo.png"
Original URL is the direct URL to the image. In the attached image, you can see the request and response headers for this image.
Problem: Please let me know what steps should I take to make this image visible inside gmail.
PS: I am facing the same issue with hotmail as well.
I think I have figured out the GoogleImageProxy issue.
I have answered this in another question as well ( images inside gmail email not being displayed ).
This is something related to CACHING concept. suppose, you have recently deployed your php code on your server but you forgot to upload images. you tested once with your email logic. your system generated an HTML email. When this email will hit the gmail server GoogleImageProxy will try to fetch and store the images from your site to its own proxy server. while fetching the images, GoogleImageProxy found some 404 statuses against your missing images and 403 against some protected images. GoogleImagesProxy has stored these statuses into its own proxy server.
Now tried to open your email, you noticed some 404 statuses against your images. This is something understandable. You immediately realized that you forgot to upload some images, so you uploaded them to your server. and also you have fixed some permissions against protected images.
You are all done now. Now you try to run your php-email script once again. As a result you receive another email in your Gmail or Hotmail inbox. you had fixed all the issues with your images. Now the images must be displayed in your email content. but you are still unable to see the images.
Ah, possibly you forgot to clear your browser's cache. Clear your browser's cache and load the gmail or hotmail page once again. But the result will be still the same. Try to apply dozens of fixes/patches and try to run your php-email script a thousands time. But the result will be still the same. No improvement.
THE REAL PROBLEM
What the hell is going on? Let me explain it to you. Go to your access log and try to find requests from GoogleImageProxy. You'll be surprised to see that there will be only 2 or 3 three requests from GoogleImageProxy depending on the number of different images used in your email. GoogleImageProxy never tried to fetch images Even after you have fixed the issues with your images by uploading missing images and setting permissions for protected images. Why? Clearing your browser's cache has no impact. GoogleImageProxy will never fetch the fresh images even for your newer email because the images are now cached into GoogleImageProxy along with their last status code and not cached in your own browser's.
GoogleImageProxy has set its own expiry date for the images. I think one month. so now the fresh copy of images will be fetch after expiry date. I mean after one month. You can not force GoogleImageProxy to fetch the images. But its important for you to display images in your email. What can be the solution?
THE SOLUTION
Following is the only way to force GoogleImageProxy to fetch your images
Rename your images to something else with png, jpg or gif extensions
only.
Don't use any kind of query string in your image url like "?t=34343"
your image must include png, jpg or gif as an extension.
your image url must be mapped onto your image directly.
If you need to use some proxy url for your protected images then your
response must include the proper header like
"content-type:image/jpeg"
File extension and content-type header must match
Status-code must be 200 instead of 403, 500 etc
IMPORTANT NOTE
Try to repeat the whole process for every run of php-email script. because every time GoogleImageProxy will cache your images and you'll have to repeat the same process for every new try.
Hopefully this will fix the issue for most of the people. In my case this has fixed the issue.
hese are embedded images. You send an image as an attachment and then use it in your img element like: . Gmail transforms the "cid" link to its internal file storage link and that's why it gives element.
This is one of two common ways to have images within email.
The other way is to keep images in your hosting and send img elements with external links: http://yourdomain.com/yourimage.png I strongly recommend to use the second approach especially if you expect to have a lot of images in your email. I had problems with attached images display on Gmail which I couldn't solve.
Make sure your from address is a real valid email and not in the form realname+something#example.com.
I'm using Amazon SES to send emails, and inlining some but not all images as attachments. For me it was the non-attachments that were breaking.
Eventually I realized I was using a 'fake' email for the from field.
My real email is
simon#example.com
To make it easy to filter emails in gmail I used the + syntax to create a 'fake' email for testing purposes.
simon+test#example.com
This works great, except it seems to be changing the behavior of the spam/image filter. My image tags ended up completely stripped of the src attribute.
As soon as I switched back to using the actual email then all the images showed up.

IMDB Poster URL Returns Referral Denied

In my Ruby on Rails app, I use the imdb gem (https://rubygems.org/gems/imdb) to search for a movie by title and grab the poster url and add it to the movie model I have in my database. Then in my view, I put that url in an image source tag and display the image to the user.
I don't have any problems when I'm running my application locally, but when I deploy it to Heroku, sometimes a few images are rendered successfully but for the most part, they aren't displayed properly. I've tried multiple browsers and as it turns out when I try to load the image, I get a "Referral Denied" message saying:
You don't have permission to access "[poster url here]" on this server. Reference #[some ref. number here]
How would I go about fixing this? I'm guessing it's because the IMDB server is denying my access because either I'm making too many requests from my application or because my application doesn't have the necessary credentials to get the data or maybe some combination of both. Is there a way to bypass this at all?
IMDB blocks the direct linking of images from their site on other sites, I think this previous question covers the topic.
The easiest way to get around this is to download the image and host it yourself rather than linking IMDB's copy. Alternatively you could investigate alternative movie DBs to see if they can offer what you want - the answers to this question on IMDB APIs lists a few. The Movie DB API looks like a good bet.

Logging image downloads

I'm trying to find a way of finding out who is downloading what image from an image gallery. Users can download using a button beside the thumbnail or right click and use the "save link as" Is it possible to relate a user session or ID to a "save link as" action from all browsers using either PHP or JavaScript.
Yes, my preferred way of doing this would be via PHP. You'd have to set up a script which would load up the file and send it to the user browser. This script would also be able to log the download somewhere (e.g. your database).
For example - in very rough pseudo-code:
download.php
$file = $_GET['file'];
updateFileCount($file);
header('Content-Type: image/jpeg');
sendFile($file);
Then, you just have your download link point to download.php instead of the actual file. (Note that updateFileCount and sendFile are functions that you would have to provide, of course - this script is an example of a download script which you could use)
Note: I highly recommend avoiding the use of $_GET['file'] to get the whole filename - malicious users could use it to retrieve sensitive files from your web server. But the safe use of PHP downloads is a topic for another question.
You need a gateway script, like ImageDownload.php?picture=me.jpg, or something like that.
That page whould return the image bytes, as well as logging that the image is downloaded.
Because the images being saved are on their computer locally there would be no way to get that kind of information as they have already retrieved the image from your system. Even with javascript the best I know that you could do is to log each time a user presses the second mousebutton using some kind of ajax'y stuff.
I don't really like the idea, but if you wanted to log everytime someone downloaded an image you could host the images inside a flash or java app that made it a requirement to click a download image button. That way the only way for them to get the image without doing that would be to either capture packets as they came into their side or take a screenshot.
Your server access logs should already have the request for the non-thumbnailed version of the file, so you just need to modify the log format to include the sessionid, which I presume you can map back to a user.
I agree strongly with the suggestion put forward by Phill Sacre. For what you are looking for this is the way to go.
It also has the benefit of being potentially able to keep the tracked files out of the direct web path so that they can't be direct linked to.
I use this method in a client site where the images are paid content so must be restricted access.

Resources