CODEWITHSUNDEEP
ruby-on-railsamazon-s3carrierwavefog
kcurtin
kcurtin

Reputation: 521

Amazon access key showing in URL for Carrierwave and Fog

I just switched from storing my images uploaded via Carrierwave locally to using Amazon s3 via the fog gem in my Rails 3.1 app. While images are being added, when I click on an image in my application, the URL is providing my access key and a signature. Here is a sample URL (XXX replaced the string with the info):

https://s3.amazonaws.com/bucketname/uploads/photo/image/2/IMG_4842.jpg?AWSAccessKeyId=XXX&Signature=XXX%3D&Expires=1332093418

This is happening in development (localhost:3000) and when I am using heroku for production. Here is my uploader:

class ImageUploader < CarrierWave::Uploader::Base
 include CarrierWave::RMagick
 storage :fog
  def store_dir
    "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
  end
  process :convert => :jpg
  process :resize_to_limit => [640, 640] 
  version :thumb do
    process :convert => :jpg
    process :resize_to_fill => [280, 205]
  end
  version :avatar do
    process :convert => :jpg
    process :resize_to_fill => [120, 120]
  end
end

And my config/initializers/fog.rb :

 CarrierWave.configure do |config| 
  config.fog_credentials = { 
     :provider               => 'AWS', 
     :aws_access_key_id      => 'XXX', 
     :aws_secret_access_key  => 'XXX',
   } 
  config.fog_directory  = 'bucketname' 
  config.fog_public     = false
end

Anyone know how to make sure this information isn't available?

UPDATE: Adding view and controller code: from a partial in users/show.html.erb:

<% if @user.photos.any? %>
  <% for photo in @user.photos %>
    <li class="span4 hidey">
    <div class="thumb_box">
      <%=link_to(image_tag(photo.image_url(:thumb).to_s), photo.image_url.to_s,   
                                                       :class=>"lb_test") %>
      ...
    </div>    
    </li>
  <% end %>
<% end %>

users_controller.rb:

 def show
   @user = User.find(params[:id])
 end

UPDATE: Adding an error page I get when removing the access key information from the url:

This XML file does not appear to have any style information associated with it. The document tree is shown below.

<Error>
 <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
   <RequestId>47077D6EC13AD1D8</RequestId>
     <HostId>+HTeODcWTqv3gbRIAwf+lI6sPzfNTegDXjT9SnMdqrYr7gLD1TD0qN+OgMLwA1JO
     </HostId>
 </Error>

Upvotes: 3

Views: 3507

Answers (3)

rcd
rcd

Reputation: 1348

Remove 

config.fog_public     = false

That's a non-default value :)

Upvotes: 6

Carson Cole
Carson Cole

Reputation: 4461

What you are seeing is a signed-url. Without the full url (including key,signature,expires), you'll get an access denied. It is working exactly as it should. And I am guessing the key is just a public key, that is useless without your private key (which AWS has).

Upvotes: 4

Ed Jones
Ed Jones

Reputation: 653

Try photo.image.url instead of photo.image_url. That's what I'm using.

Upvotes: -1

Related Questions