tomitrescak/meteor-uploads

controlling download access to uploaded files.

Open

#125 opened on Jul 31, 2015

View on GitHub
 (10 comments) (0 reactions) (0 assignees)HTML (295 stars) (41 forks)batch import
enhancementhelp wanted

Description

I am loving this uploader tool so far, but I've come to a snag, which was discussed on issue 58: #58

I have previously tried doing file uploads with CollectionFS, but was looking for something better. Specifically I liked the idea that I could choose my own collection in which to store my file metadata, which didn't seem to be possible with the CollectionFS way of doing uploads.

So I put together a demo (https://github.com/wesyah234/fileUploadDemo2) using this package, and soon came to realize that controlling access to the uploaded files did not seem to be possible, at least in the easy way it was with CollectionFS. See https://github.com/CollectionFS/Meteor-CollectionFS#security for how they are doing it, via allow/deny rules.

I was able to prevent a view of a file depending on whether the user was logged in, because it hooked into the Meteor.Accounts system.

The solution in issue #58 does not seem like it will tie into the Meteor.accounts system or anything like that. Are there any other ideas for this issue?

In my work with Java and PHP, typically you would stream the document through PHP or Java, and before streaming it through, you would get to check certain permissions. Is there a possible solution like that here with Meteor? IE. stream it through a route in Meteor?

Contributor guide

Tech stack
javascriptnodejsmongodb
Domain
backendsecurityauthentication
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Meteor basicsfile upload concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
The issue asks for a way to control download access to uploaded files, similar to CollectionFS allow/deny rules. Investigate the existing package's method of serving files and how to integrate authentication checks (e.g., using Meteor.userId). Review the linked issue #58 for prior discussion. Consider implementing a middleware or route that checks user permissions before streaming the file. Look at how other Meteor packages handle file access control.