To enhance security, you may disable ActiveStorage\u2019s public routes by configuring the application:<\/p>\n
\r\n# config\/application.rb\r\nconfig.active_storage.draw_routes = false\r\n<\/pre>\nIf you attempt to access the file using a direct call like:<\/p>\n
\r\nredirect_to @invoice.generated_pdf.url\r\n<\/pre>\nIt results in errors such as:<\/p>\n
\r\nCannot generate URL using Disk service...\r\nundefined method `rails_disk_service_url`...\r\n<\/pre>\nThis happens because ActiveStorage cannot generate public URLs when using the Disk service or when routes are disabled.<\/p>\n
The Right Way: Serve Secure Files via Controller (Streaming)<\/h2>\n
Instead of generating a signed URL, you can stream the file directly from your controller.<\/p>\n
Step-by-Step Solution<\/h2>\n
1. Add Streaming Concern<\/h3>\n
\r\n# app\/controllers\/concerns\/streamable_attachment.rb\r\nmodule StreamableAttachment\r\n extend ActiveSupport::Concern\r\n\r\n def stream_attachment(record:, attachment_name:, disposition: \"inline\")\r\n attachment = record.public_send(attachment_name)\r\n\r\n return head :not_found unless attachment.attached?\r\n blob = attachment.blob\r\n response.headers['Content-Type'] = blob.content_type\r\n response.headers['Content-Disposition'] = \"#{disposition}; filename=\\\"#{blob.filename}\\\"\"\r\n response.headers['Content-Length'] = blob.byte_size.to_s\r\n\r\n blob.download do |chunk|\r\n response.stream.write chunk\r\n end\r\n ensure\r\n response.stream.close\r\n end\r\nend\r\n<\/pre>\n2. Use It in Your Controller<\/h3>\n
\r\nclass InvoicesController < ApplicationController\r\n include StreamableAttachment\r\n\r\n def show_pdf\r\n invoice = Invoice.find(params[:id])\r\n # authorize invoice(Use Pundit or your own logic\r\n stream_attachment(record: invoice, attachment_name: :generated_pdf, disposition: \"inline\")\r\n end\r\nend\r\n<\/pre>\n3. Add Route<\/h3>\n
\r\n# config\/routes.rb\r\nresources :invoices do\r\n member do\r\n get :show_pdf\r\n end\r\nend\r\n<\/pre>\n4. Embed PDF in the View<\/h3>\n
\r\n<% if @invoice.generated_pdf.attached? %>\r\n \r\n<% else %>\r\nNo PDF attached.<\/p>\r\n<% end %>\r\n<\/pre>\n
Why Not Signed URLs?<\/h2>\n
Signed URLs are great for performance, but:<\/p>\n
\n
- Can be forwarded\/shared while still valid<\/li>\n
- Don't give you control over download logging or rate limiting<\/li>\n
- Are harder to embed in controlled HTML views<\/li>\n<\/ul>\n
Conclusion<\/h2>\n
\n
- Avoid Public URLs for Sensitive Files:<\/strong> Exposing file URLs, even signed ones, can pose security risks in applications handling confidential documents.<\/li>\n
- Use Controller-Based Streaming:<\/strong> Serving attachments via a controller allows you to enforce authentication and authorization before granting access.<\/li>\n
- Support Inline PDF Viewing:<\/strong> With the correct headers and response setup, PDF files can be previewed directly in the browser, improving user experience.<\/li>\n
- Keep Code Reusable and Maintainable:<\/strong> Extracting the streaming logic into a reusable concern ensures consistency and reduces duplication across models and controllers.<\/li>\n
- Scalable for Any Model:<\/strong> This approach is flexible and can be applied to any model with attachments, making it a robust solution for secure file delivery.<\/li>\n<\/ul>\n
![\"Also](\"https:\/\/assets.bacancytechnology.com\/qanda\/wp-content\/uploads\/2025\/04\/24061434\/read-txt.png\")