On Jan 4, 2006, at 12:54 AM, Ara.T.Howard wrote:
i'm trying to debug something (file_column plugin) which makes use of
RAILS_ROOT to determine a root storage path
root_path = File::join RAILS_ROOT, "public"
that's well enough - but this same path is used throughout the code to
generate urls for files under root_path. my understanding of
RAILS_ROOT and
the "public" subdir is that one should never be generating links
from outside
of "public" in this way since it subverts security at minimum and,
at maximum,
is broken since a url relative to RAILS_ROOT is not guaranteed to
be visible
since RAILS_ROOT is a file_system concept and is not in url space.
is this correct?
Yes, that's correct as far as I understand it. I suppose this is in
conjunction with the problem you ran in to with file_column and
Family Connection? If so, I wonder if Sebastian has any comment on
implementation choices that he had to make.
Duane Johnson
(canadaduane)
http://blog.inquirylabs.com/
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
