Rails 6 - Allow/Disallow file download as per user role for files on AWS S3

Question

I have a Rails 6 app, where registered users(Owner) can upload files - images/videos on S3 and then the the owner can provide access to other users(invitations) to view their uploaded content.

Is there a way I can restrict file access so that only the owner can download his uploaded files(images/videos), thereby putting restrictions in place to other non-owner/invited users.. Videos/images should not get downloaded by just right-clicking and saving/downloading them so easily.

Note - the uploaded files also include large videos(both mp4 and HLS streaming), so other invited users can view them but cannot download it unless they are the owners/uploaders as the files are coming from AWS Cloudfront for videos and S3, if they are images.

Associations are setup like -

User has one role
User has many images/videos, each residing in his own folder on s3(`bucket/user_id/image_slug/` or `bucket/user_id/video_slug/`)
User has many invitations(must be view only access to owners file)

Not sure,what is the right approach, can be -

• update the ACL for the file if its accessed by non-owner and make it read-only?
• Make all uploaded files public and disable public access for non-owners but this will also restrict any access to the file directly.

Let me know what is the best suited logic for this approach.

Answer 1

What you are trying to achieve needs groundwork on multiple levels:

1. Based on S3 security best practices, you should keep the permission level to a minimum just enough on the S3 side for the app to provide the expected behavior.

2. S3 allows you to grant access to user specific folders.

3. You should look into the access granted gem to cover server side restrictions. You should also look into client side restrictions. A common technique is to disable right mouse click.

Related:

How to download files without showing S3 URls

Top 7 security features for video streaming platforms

How Netflix protects its content

Answer 2

A possible option would be to generate signed urls to your s3 objects, and have the "authorization" logic in your rails app. This should be the default on ActiveStorage otherwise if you're using Carrierwave you need to set fog_public = false

Option 1:

In the view where you are displaying the button to download the file:

- if user.can_access_document?(document)
  = link_to 'View', document.attachment_url, target: :blank
- else
  Request an invite from the owner

In your User model:

class User < ApplicationRecord
  has_many :invitations 
  
  ...  

  def can_access_document?(document)
    # Check if there is an invitation entry for this user to access said file
    self.invitations.where(document_id: document.id).any?
  end
end

---

Option 2

You could also have the button hit a particular endpoint/route to one of your controllers like Files#download_file, and then do the checking in there and redirect to the s3 file.

class FilesController < ApplicationController
  def download
    document = Document.find(params[:id])

    if current_user.can_access_document?(document)
      redirect_to document_url 
    else
      raise "You don't have access to this document"
    end 
  end
end

In your view just direct the link to your new controller

= link_to 'View', download_files_url(document), target: :blank

As the urls for the files are signed, the user will need to click the button on your website and cannot just use the same url over and over. These signed urls can also have a dynamic expiry time, for example if link is set to expire after 60s, if the user clicks to download the file after 60s elapsed he/she will be displayed an s3 error saying link expired something like this:

<Error>
    <Code>AccessDenied</Code>
    <Message>Request has expired</Message>
    <Expires>2018-06-28T07:13:14Z</Expires>
    <ServerTime>2018-08-06T20:03:02Z</ServerTime>
    <RequestId>87E1D2CFAAA7F9A6</RequestId>
    <HostId>
    A9BEluTV2hk3ltdFkixvQFa/yUBfUSgDjptwphKze+jXR6tYbpHCx8Z7y6WTfxu3rS4cGk5/WTQ=
    </HostId>
</Error>