Restricting access to Paperclip :original files in S3

Question

How do I restrict any access to the :original styled files in S3 but keep access to the rest of the styles's folders in the bucket?

I saw implementations on how to limit all access and then check on attributes of a model. I just want to limit access to :original styles

I did notice this line in paperclip, I just don't know how to use (if possible)

Answer 1

The answer I am looking for (I think, didn't test it yet) can be found here

http://rdoc.info/github/thoughtbot/paperclip/Paperclip/Storage/S3

s3_permissions: This is a String that should be one of the "canned" access policies that S3 provides (more information can be found here: docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAccessPolicy.html) The default for Paperclip is :public_read.
You can set permission on a per style bases by doing the following:
:s3_permissions => {
  :original => :private
}
Or globaly:
:s3_permissions => :private

Answer 2

You can limit the files by accessing the files through an action of a controller. This way you can control, which files a user can access and which not.

If you simply make a privat s3 bucket, this won't help you. As a user with a valid key can access any files in the bucket. If you have really file which needs to be protected, you have only view ways to do it (as I think):

• Restrict access to the bucket and serve the files through an action of a controller (no real way to work around this)
• Rename the specific files to be not easy to predict (e.g. 32 or more characters of numbers and letters). This is quit simple to achieve and you can still serve the files directly from s3
• Save the files somewhere else (maybe in an other s3 bucket), so nobody can predict them

For renaming files you can use this stackoverflow question: Paperclip renaming files after they're saved