Thanks, I think I got it. So basically you want to show the
<%blobstoreService.createUploadUrl("/upload")%> only to people that
should upload.Luca On Fri, Mar 11, 2011 at 2:21 PM, Didier Durand <[email protected]> wrote: > Hi, > > I don't exactly know what you mean by secure but having only the > logged in people be allowed to upload will already significantly > reduce spam. > > And then, you can use captchas to make sure it's a human, etc. > > regards > > didier > > On Mar 11, 1:58 pm, Luca Matteis <[email protected]> wrote: >> So you're saying I should only generate the "upload" key url if the >> user is authenticated? >> And that would make it secure? avoid spam and such? >> >> On Fri, Mar 11, 2011 at 12:32 PM, Didier Durand <[email protected]> >> wrote: >> > Hi, >> >> > You're right: you can't control WHAT (size, etc...) the users upload >> > but you can control IF they upload: the key after /upload is generated >> > by App Engine and has to be a valid one (not too old, not used yet, >> > etc,,) to be usable for an update. >> >> > If you generate such an upload for authentified users, it gets pretty >> > secure. >> >> > What else you be looking for ? If it size, or content or something >> > equivalent that means anyway that you have to get out of the browser >> > sandbox in your application (via java applet, etc..) in order to do >> > the additional controls you need: a regular web app can't access and >> > check local files because of the sandbox. >> >> > regards >> >> > didier >> >> > On Mar 11, 12:07 pm, Luca Matteis <[email protected]> wrote: >> >> I have started using the Bloblstore Java >> >> API:http://code.google.com/appengine/docs/java/blobstore/overview.html >> >> >> It seems like the upload form goes to something like: >> >> >> <form >> >> action="/_ah/upload/agRtaWx1chsLEhVfX0Jsb2JVcGxvYWRTZXNzaW9uX18YTww" >> >> >> This is part of appengine, it's not my code. This means I can't >> >> prevent uploads of a given type or uploads of a given length. They get >> >> loaded into my datastore under "__BlobInfo__" no matter what. >> >> Isn't this sort of bad? I don't want to have my datastore be filled >> >> with things even though it's google storing the data. Bots would just >> >> use it to upload spam. I want the upload to happen only by some means >> >> of authentication. >> >> >> Any ideas? >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Google App Engine for Java" group. >> > To post to this group, send email to >> > [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group >> > athttp://groups.google.com/group/google-appengine-java?hl=en. >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
