need an [unsafe] method to #send_file on a location outside of the public_directory

Question

need an [unsafe] method to #send_file on a location outside of the public_directory

tercenya opened this issue 8 years ago · 2 comments

version: 1.0.0.beta-1

4a1e1af restricts #send_file to the public_directory. While that's a well-intentioned security measure, it's a common use-case to #send_file CMS content, or things generated dynamically via TempFile. I don't think Hanami needs the complexity of managing whitelist-able folders, but I do need to be able to do my own permission checking and still use #send_file.

a #send_file_unsafe (or some better name) should be added, and noted in the CHANGELOG that you may need to use this in lieu of the current #send_file behavior.

It might be worth putting a deprecation note in the current (hanami 0.9.X / controller 0.8.X) version if you're going to make existing behavior less accommodating, and fail silently after upgrading (#210)?

Answer 1 · 2017-02-23T14:07:24.000Z

@tercenya Mr @mereghost is working on this.

Answer 2 · 2017-02-23T17:39:40.000Z

Heya @tercenya can you take a look at #216 to check if it fits your needs? Thanks!