[Rails] Re: Opening a folder for file selection

Thanks 7stud! Your code works and I integrated it with my version.
The only changes I made were to redo RAILS_ROOT to use: dir_path =
Rails.root.join("public","resumes")
and to make the send_file more "Windowsy" in this way:
send_file("#{dir_path}\\#{fname}", :filename => fname)

I appreciate your taking the time!
Barney

On Aug 18, 10:49 pm, 7stud -- <li...@ruby-forum.com> wrote:
> Okay.  But I am a beginner too, so I don't know if this is the best way.
> I'm assuming the path to yourfolderis:
>
> /public/files_to_read
>
> class PagesController < ApplicationController
>   def home
>     @title = "Home"
>   end
>
>   def get_files
>     dir_path = 'public/files_to_read'
>
>     Dir.chdir(dir_path) do
>       @fnames = Dir.glob("*")
>     end
>
>   end
>
>   def download
>     dir_path = 'public/files_to_read'
>     fname = params[:fname]
>
>     Dir.chdir(dir_path) do
>       allowed_fnames = Dir.glob("*")
>
>       if allowed_fnames.include?(fname)
>         send_file("#{RAILS_ROOT}/#{dir_path}/#{fname}",
>                   :filename => fname)
>       else
>         @title = 'Home'
>         render 'home'
>       end
>
>     end
>
>   end
>
> end
>
> ===
>
> Test2App::Application.routes.draw do
>   root :to => "pages#home"
>
>   get 'pages/get_files'
>   get 'pages/download'
>
> ===
>
> <h1>Pages#home</h1>
> <p>Find me in app/views/pages/home.html.erb</p>
>
> <%= link_to "Read afile", {:controller => 'pages', :action =>
> 'get_files'} %>
>
> ===
>
> <h1>Pages#get_files</h1>
> <div>Find me in app/views/pages/get_files.html.erb</div>
>
> <h3>Click thefileyou want to download:</h3>
>
> <% @fnames.each do |fname| %>
>   <div><%= link_to fname, :controller => 'pages', :action => 'download',
> :fname => fname %></div>
> <% end %>
>
> ===
>
> <!DOCTYPE html>
> <html>
> <head>
>   <title><%= @title %></title>
>   <%= csrf_meta_tag %>
> </head>
> <body>
>
> <%= yield %>
>
> </body>
> </html>
>
> ===
>
> http://localhost:3000=> home.html.erb
> click on Readfilelink => get_file.html.erb
> click on a filename link => computer downloads thefile
>
> The reason for the code:
>
>   if allowed_names.include?( )
>
> is to prevent a hacker from going to the page of links, and then instead
> of clicking on a link, entering:
>
> http://localhost:3000/pages/download?fname=/path/to/secrets.txt
>
> If you don't check the fname that the server receives, a hacker can
> download anyfilethey want.
>
> --
> Posted viahttp://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.