Add a `destroy` action to ActiveStorage::BlobsController?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Add a `destroy` action to ActiveStorage::BlobsController?

Kyle Fox
I think it might be handy to have a destroy action available on ActiveStorage::BlobsController, i.e:

rails_service_blob    DELETE    /rails/active_storage/blobs/:signed_id/*filename(.:format)    active_storage/blobs#destroy

I will be adding this functionality to an application, and if there's general support I'd be happy to submit it as a pull-request.

The use case is to allow unattached blobs to be destroyed. For example, say you have a form that allows a customer to upload an avatar (via direct uploads) and the customer:
  1. Uploads "handsome.jpg", thereby creating a new Blob (blob-1)
  2. Then decides to upload "extra-handsome.jpg" instead, which creates another new Blob (blob-2)
  3. Submits the form, which attaches customer.avatar to blob-2
In this scenario blob-1 will forever be unattached.

A scheduled rake task could of course periodically purge unattached blobs. But ideally, the Active Storage JavaScript library would allow the client to delete blob-1 directly from the cloud when it knows it will be unattached.

I don't believe there are any security concerns, because we're using blob.signed_id.

Would the Rails team consider a patch that adds this functionality?

Thanks!

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Add a `destroy` action to ActiveStorage::BlobsController?

Kyle Fox
> I don't believe there are any security concerns, because we're using blob.signed_id.

Scratch that. Of course there'd be a security concern — URLs generated by url_for(attachment) contain the blob.signed_id, meaning it's revealed to the client. 🤦‍♂️

So, this functionality is likely not a good candidate for a core Rails feature, as it will be fairly application specific.

On Friday, June 22, 2018 at 8:53:08 AM UTC-6, Kyle Fox wrote:
I think it might be handy to have a destroy action available on <a href="https://github.com/rails/rails/blob/5-2-0/activestorage/app/controllers/active_storage/blobs_controller.rb" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fblob%2F5-2-0%2Factivestorage%2Fapp%2Fcontrollers%2Factive_storage%2Fblobs_controller.rb\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEdNAspqxxA833vFuzfRPrz3CwZQA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fblob%2F5-2-0%2Factivestorage%2Fapp%2Fcontrollers%2Factive_storage%2Fblobs_controller.rb\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEdNAspqxxA833vFuzfRPrz3CwZQA&#39;;return true;">ActiveStorage::BlobsController, i.e:

rails_service_blob    DELETE    /rails/active_storage/blobs/:signed_id/*filename(.:format)    active_storage/blobs#destroy

I will be adding this functionality to an application, and if there's general support I'd be happy to submit it as a pull-request.

The use case is to allow unattached blobs to be destroyed. For example, say you have a form that allows a customer to upload an avatar (via <a href="http://guides.rubyonrails.org/active_storage_overview.html#direct-upload-javascript-events" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fguides.rubyonrails.org%2Factive_storage_overview.html%23direct-upload-javascript-events\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG279m-zHvPmzkbCE05wo4oexTrSA&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fguides.rubyonrails.org%2Factive_storage_overview.html%23direct-upload-javascript-events\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG279m-zHvPmzkbCE05wo4oexTrSA&#39;;return true;">direct uploads) and the customer:
  1. Uploads "handsome.jpg", thereby creating a new Blob (blob-1)
  2. Then decides to upload "extra-handsome.jpg" instead, which creates another new Blob (blob-2)
  3. Submits the form, which attaches customer.avatar to blob-2
In this scenario blob-1 will forever be unattached.

A scheduled rake task could of course periodically purge unattached blobs. But ideally, the Active Storage JavaScript library would allow the client to delete blob-1 directly from the cloud when it knows it will be unattached.

I don't believe there are any security concerns, because we're using blob.signed_id.

Would the Rails team consider a patch that adds this functionality?

Thanks!

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.