> I don't believe there are any security concerns, because we're using blob.signed_id.
Scratch that. *Of course* there'd be a security concern — URLs generated by url_for(attachment) contain the blob.signed_id, meaning it's revealed to the client. 🤦♂️ So, this functionality is likely not a good candidate for a core Rails feature, as it will be fairly application specific. On Friday, June 22, 2018 at 8:53:08 AM UTC-6, Kyle Fox wrote: > > I think it might be handy to have a destroy action available on > ActiveStorage::BlobsController > <https://github.com/rails/rails/blob/5-2-0/activestorage/app/controllers/active_storage/blobs_controller.rb>, > > i.e: > > rails_service_blob DELETE > /rails/active_storage/blobs/:signed_id/*filename(.:format) > active_storage/blobs#destroy > > > I will be adding this functionality to an application, and if there's > general support I'd be happy to submit it as a pull-request. > > The use case is to allow unattached blobs to be destroyed. For example, > say you have a form that allows a customer to upload an avatar (via direct > uploads > <http://guides.rubyonrails.org/active_storage_overview.html#direct-upload-javascript-events>) > > and the customer: > > 1. Uploads "handsome.jpg", thereby creating a new Blob (blob-1) > 2. Then decides to upload "extra-handsome.jpg" instead, which creates > another new Blob (blob-2) > 3. Submits the form, which attaches customer.avatar to blob-2 > > In this scenario blob-1 will forever be unattached. > > A scheduled rake task could of course periodically purge unattached blobs. > But ideally, the Active Storage JavaScript library would allow the client > to delete blob-1 directly from the cloud when it knows it will be > unattached. > > I don't believe there are any security concerns, because we're using > blob.signed_id. > > Would the Rails team consider a patch that adds this functionality? > > Thanks! > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
