AWS S3/Ruby on Rails/ heroku: Security hole in my app

Question

I have a route in my config which says that for a page, say /secure, there is a login required (done via authlogic). A before_filter in my controller takes care

Answer 1

Maybe I'm confused as to what you are trying to accomplish, but S3 has permissions access that require an encryption key to be in the url you provide the user. When using the aws-s3 gem, this option is enabled by default. Therefore, you should not be able to access the files unless the user is using the link with the encrypted key embedded in it. This would require you to make sure that the file is set to authorized access only.

More info can be found http://amazon.rubyforge.org/ about the gem. Look for documentation related to Access control (I think "authenticated_read" is what you want).