paperclip

Created: 2008-04-10 19:58
Updated: 2019-02-27 07:54
License: other

README.md

Paperclip

Deprecated

Paperclip is deprecated.

For new projects, we recommend Rails' own ActiveStorage.

For existing projects, please consult and contribute to the migration guide (en espaƱol).

We will leave the Issues open as a discussion forum only. We do not guarantee a response from us in the Issues.

We are no longer accepting pull requests except pull requests against the migration guide. All other pull requests will be closed without merging.

Existing documentation

Documentation valid for master branch

Please check the documentation for the paperclip version you are using: https://github.com/thoughtbot/paperclip/releases


Build Status Dependency Status Code Climate Inline docs Security

Paperclip is intended as an easy file attachment library for ActiveRecord. The intent behind it was to keep setup as easy as possible and to treat files as much like other attributes as possible. This means they aren't saved to their final locations on disk, nor are they deleted if set to nil, until ActiveRecord::Base#save is called. It manages validations based on size and presence, if required. It can transform its assigned image into thumbnails if needed, and the prerequisites are as simple as installing ImageMagick (which, for most modern Unix-based systems, is as easy as installing the right packages). Attached files are saved to the filesystem and referenced in the browser by an easily understandable specification, which has sensible and useful defaults.

See the documentation for has_attached_file in Paperclip::ClassMethods for more detailed options.

The complete RDoc is online.


Requirements

Ruby and Rails

Paperclip now requires Ruby version >= 2.1 and Rails version >= 4.2 (only if you're going to use Paperclip with Ruby on Rails).

Image Processor

ImageMagick must be installed and Paperclip must have access to it. To ensure that it does, on your command line, run which convert (one of the ImageMagick utilities). This will give you the path where that utility is installed. For example, it might return /usr/local/bin/convert.

Then, in your environment config file, let Paperclip know to look there by adding that directory to its path.

In development mode, you might add this line to config/environments/development.rb):

Paperclip.options[:command_path] = "/usr/local/bin/"

If you're on Mac OS X, you'll want to run the following with Homebrew:

brew install imagemagick

If you are dealing with pdf uploads or running the test suite, you'll also need to install GhostScript. On Mac OS X, you can also install that using Homebrew:

brew install gs

If you are on Ubuntu (or any Debian base Linux distribution), you'll want to run the following with apt-get:

sudo apt-get install imagemagick -y

file

The Unix file command is required for content-type checking. This utility isn't available in Windows, but comes bundled with Ruby Devkit, so Windows users must make sure that the devkit is installed and added to the system PATH.

Manual Installation

If you're using Windows 7+ as a development environment, you may need to install the file.exe application manually. The file spoofing system in Paperclip 4+ relies on this; if you don't have it working, you'll receive Validation failed: Upload file has an extension that does not match its contents. errors.

To manually install, you should perform the following:

Download & install file from this URL

To test, you can use the image below: untitled

Next, you need to integrate with your environment - preferably through the PATH variable, or by changing your config/environments/development.rb file

PATH

1. Click "Start"
2. On "Computer", right-click and select "Properties"
3. In Properties, select "Advanced System Settings"
4. Click the "Environment Variables" button
5. Locate the "PATH" var - at the end, add the path to your newly installed `file.exe` (typically `C:\Program Files (x86)\GnuWin32\bin`)
6. Restart any CMD shells you have open & see if it works

OR

Environment

1. Open `config/environments/development.rb`
2. Add the following line: `Paperclip.options[:command_path] = 'C:\Program Files (x86)\GnuWin32\bin'`
3. Restart your Rails server

Either of these methods will give your Rails setup access to the file.exe functionality, thus providing the ability to check the contents of a file (fixing the spoofing problem)


Installation

Paperclip is distributed as a gem, which is how it should be used in your app.

Include the gem in your Gemfile:

gem "paperclip", "~> 6.0.0"

Or, if you want to get the latest, you can get master from the main paperclip repository:

gem "paperclip", git: "git://github.com/thoughtbot/paperclip.git"

If you're trying to use features that don't seem to be in the latest released gem, but are mentioned in this README, then you probably need to specify the master branch if you want to use them. This README is probably ahead of the latest released version if you're reading it on GitHub.

For Non-Rails usage:

class ModuleName < ActiveRecord::Base
  include Paperclip::Glue
  ...
end

Quick Start

Models

class User < ActiveRecord::Base
  has_attached_file :avatar, styles: { medium: "300x300>", thumb: "100x100>" }, default_url: "/images/:style/missing.png"
  validates_attachment_content_type :avatar, content_type: /\Aimage\/.*\z/
end

Migrations

Assuming you have a users table, add an avatar column to the users table:

class AddAvatarColumnsToUsers < ActiveRecord::Migration
  def up
    add_attachment :users, :avatar
  end

  def down
    remove_attachment :users, :avatar
  end
end

(Or you can use the Rails migration generator: rails generate paperclip user avatar)

Edit and New Views

Make sure you have corresponding methods in your controller:

<%= form_for @user, url: users_path, html: { multipart: true } do |form| %>
  <%= form.file_field :avatar %>
  <%= form.submit %>
<% end %>

Edit and New Views with Simple Form

<%= simple_form_for @user, url: users_path do |form| %>
  <%= form.input :avatar, as: :file %>
  <%= form.submit %>
<% end %>

Controller

def create
  @user = User.create(user_params)
end

private

# Use strong_parameters for attribute whitelisting
# Be sure to update your create() and update() controller methods.

def user_params
  params.require(:user).permit(:avatar)
end

View Helpers

Add these to the view where you want your images displayed:

<%= image_tag @user.avatar.url %>
<%= image_tag @user.avatar.url(:medium) %>
<%= image_tag @user.avatar.url(:thumb) %>

Checking a File Exists

There are two methods for checking if a file exists:

  • file? and present? checks if the _file_name field is populated
  • exists? checks if the file exists (will perform a TCP connection if stored in the cloud)

Keep this in mind if you are checking if files are present in a loop. The first version is significantly more performant, but has different semantics.

Deleting an Attachment

Set the attribute to nil and save.

@user.avatar = nil
@user.save

Usage

The basics of Paperclip are quite simple: Declare that your model has an attachment with the has_attached_file method, and give it a name.

Paperclip will wrap up to four attributes (all prefixed with that attachment's name, so you can have multiple attachments per model if you wish) and give them a friendly front end. These attributes are:

  • <attachment>_file_name
  • <attachment>_file_size
  • <attachment>_content_type
  • <attachment>_updated_at

By default, only <attachment>_file_name is required for Paperclip to operate. You'll need to add <attachment>_content_type in case you want to use content type validation.

More information about the options passed to has_attached_file is available in the documentation of Paperclip::ClassMethods.

Validations

For validations, Paperclip introduces several validators to validate your attachment:

  • AttachmentContentTypeValidator
  • AttachmentPresenceValidator
  • AttachmentSizeValidator

Example Usage:

validates :avatar, attachment_presence: true
validates_with AttachmentPresenceValidator, attributes: :avatar
validates_with AttachmentSizeValidator, attributes: :avatar, less_than: 1.megabytes

Validators can also be defined using the old helper style:

  • validates_attachment_presence
  • validates_attachment_content_type
  • validates_attachment_size

Example Usage:

validates_attachment_presence :avatar

Lastly, you can also define multiple validations on a single attachment using validates_attachment:

validates_attachment :avatar, presence: true,
  content_type: "image/jpeg",
  size: { in: 0..10.kilobytes }

NOTE: Post-processing will not even start if the attachment is not valid according to the validations. Your callbacks and processors will only be called with valid attachments.

class Message < ActiveRecord::Base
  has_attached_file :asset, styles: { thumb: "100x100#" }

  before_post_process :skip_for_audio

  def skip_for_audio
    ! %w(audio/ogg application/ogg).include?(asset_content_type)
  end
end

If you have other validations that depend on assignment order, the recommended course of action is to prevent the assignment of the attachment until afterwards, then assign manually:

class Book < ActiveRecord::Base
  has_attached_file :document, styles: { thumbnail: "60x60#" }
  validates_attachment :document, content_type: "application/pdf"
  validates_something_else # Other validations that conflict with Paperclip's
end

class BooksController < ApplicationController
  def create
    @book = Book.new(book_params)
    @book.document = params[:book][:document]
    @book.save
    respond_with @book
  end

  private

  def book_params
    params.require(:book).permit(:title, :author)
  end
end

A note on content_type validations and security

You should ensure that you validate files to be only those MIME types you explicitly want to support. If you don't, you could be open to XSS attacks if a user uploads a file with a malicious HTML payload.

If you're only interested in images, restrict your allowed content_types to image-y ones:

validates_attachment :avatar,
  content_type: ["image/jpeg", "image/gif", "image/png"]

Paperclip::ContentTypeDetector will attempt to match a file's extension to an inferred content_type, regardless of the actual contents of the file.


Internationalization (I18n)

For using or adding locale files in different languages, check the project https://github.com/thoughtbot/paperclip-i18n.

Security Validations

Thanks to a report from Egor Homakov we have taken steps to prevent people from spoofing Content-Types and getting data you weren't expecting onto your server.

NOTE: Starting at version 4.0.0, all attachments are required to include a content_type validation, a file_name validation, or to explicitly state that they're not going to have either. Paperclip will raise an error if you do not do this.

class ActiveRecord::Base
  has_attached_file :avatar
  # Validate content type
  validates_attachment_content_type :avatar, content_type: /\Aimage/
  # Validate filename
  validates_attachment_file_name :avatar, matches: [/png\z/, /jpe?g\z/]
  # Explicitly do not validate
  do_not_validate_attachment_file_type :avatar
end

This keeps Paperclip secure-by-default, and will prevent people trying to mess with your filesystem.

NOTE: Also starting at version 4.0.0, Paperclip has another validation that cannot be turned off. This validation will prevent content type spoofing. That is, uploading a PHP document (for example) as part of the EXIF tags of a well-formed JPEG. This check is limited to the media type (the first part of the MIME type, so, 'text' in text/plain). This will prevent HTML documents from being uploaded as JPEGs, but will not prevent GIFs from being uploaded with a .jpg extension. This validation will only add validation errors to the form. It will not cause errors to be raised.

This can sometimes cause false validation errors in applications that use custom file extensions. In these cases you may wish to add your custom extension to the list of content type mappings by creating config/initializers/paperclip.rb:

# Allow ".foo" as an extension for files with the MIME type "text/plain".
Paperclip.options[:content_type_mappings] = {
  foo: %w(text/plain)
}

Defaults

Global defaults for all your Paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash. This can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file definition.

If you're using Rails, you can define a Hash with default options in config/application.rb or in any of the config/environments/*.rb files on config.paperclip_defaults. These will get merged into Paperclip::Attachment.default_options as your Rails app boots. An example:

module YourApp
  class Application < Rails::Application
    # Other code...

    config.paperclip_defaults = { storage: :fog, fog_credentials: { provider: "Local", local_root: "#{Rails.root}/public"}, fog_directory: "", fog_host: "localhost"}
  end
end

Another option is to directly modify the Paperclip::Attachment.default_options Hash - this method works for non-Rails applications or is an option if you prefer to place the Paperclip default settings in an initializer.

An example Rails initializer would look something like this:

Paperclip::Attachment.default_options[:storage] = :fog
Paperclip::Attachment.default_options[:fog_credentials] = { provider: "Local", local_root: "#{Rails.root}/public"}
Paperclip::Attachment.default_options[:fog_directory] = ""
Paperclip::Attachment.default_options[:fog_host] = "http://localhost:3000"

Migrations

Paperclip defines several migration methods which can be used to create the necessary columns in your model. There are two types of helper methods to aid in this, as follows:

Add Attachment Column To A Table

The attachment helper can be used when creating a table:

class CreateUsersWithAttachments < ActiveRecord::Migration
  def up
    create_table :users do |t|
      t.attachment :avatar
    end
  end

  # This is assuming you are only using the users table for Paperclip attachment. Drop with care!
  def down
    drop_table :users
  end
end

You can also use the change method, instead of the up/down combination above, as shown below:

class CreateUsersWithAttachments < ActiveRecord::Migration
  def change
    create_table :users do |t|
      t.attachment :avatar
    end
  end
end

Schema Definition

Alternatively, the add_attachment and remove_attachment methods can be used to add new Paperclip columns to an existing table:

class AddAttachmentColumnsToUsers < ActiveRecord::Migration
  def up
    add_attachment :users, :avatar
  end

  def down
    remove_attachment :users, :avatar
  end
end

Or you can do this with the change method:

class AddAttachmentColumnsToUsers < ActiveRecord::Migration
  def change
    add_attachment :users, :avatar
  end
end

Vintage Syntax

Vintage syntax (such as t.has_attached_file and drop_attached_file) is still supported in Paperclip 3.x, but you're advised to update those migration files to use this new syntax.


Storage

Paperclip ships with 3 storage adapters:

  • File Storage
  • S3 Storage (via aws-sdk-s3)
  • Fog Storage

If you would like to use Paperclip with another storage, you can install these gems along side with Paperclip:

Understanding Storage

The files that are assigned as attachments are, by default, placed in the directory specified by the :path option to has_attached_file. By default, this location is :rails_root/public/system/:class/:attachment/:id_partition/:style/:filename. This location was chosen because, on standard Capistrano deployments, the public/system directory can be symlinked to the app's shared directory, meaning it survives between deployments. For example, using that :path, you may have a file at

/data/myapp/releases/20081229172410/public/system/users/avatar/000/000/013/small/my_pic.png

NOTE: This is a change from previous versions of Paperclip, but is overall a safer choice for the default file store.

You may also choose to store your files using Amazon's S3 service. To do so, include the aws-sdk-s3 gem in your Gemfile:

gem 'aws-sdk-s3'

And then you can specify using S3 from has_attached_file. You can find more information about configuring and using S3 storage in the Paperclip::Storage::S3 documentation.

Files on the local filesystem (and in the Rails app's public directory) will be available to the internet at large. If you require access control, it's possible to place your files in a different location. You will need to change both the :path and :url options in order to make sure the files are unavailable to the public. Both :path and :url allow the same set of interpolated variables.


IO Adapters

When a file is uploaded or attached, it can be in one of a few different input forms, from Rails' UploadedFile object to a StringIO to a Tempfile or even a simple String that is a URL that points to an image.

Paperclip will accept, by default, many of these sources. It also is capable of handling even more with a little configuration. The IO Adapters that handle images from non-local sources are not enabled by default. They can be enabled by adding a line similar to the following into config/initializers/paperclip.rb:

Paperclip::DataUriAdapter.register

It's best to only enable a remote-loading adapter if you need it. Otherwise there's a chance that someone can gain insight into your internal network structure using it as a vector.

The following adapters are not loaded by default:

  • Paperclip::UriAdapter - which accepts a URI instance.
  • Paperclip::HttpUrlProxyAdapter - which accepts a http string.
  • Paperclip::DataUriAdapter - which accepts a Base64-encoded data: string.

Post Processing

Paperclip supports an extensible selection of post-processors. When you define a set of styles for an attachment, by default it is expected that those "styles" are actually "thumbnails." These are processed by Paperclip::Thumbnail. For backward compatibility reasons you can pass either a single geometry string, or an array containing a geometry and a format that the file will be converted to, like so:

has_attached_file :avatar, styles: { thumb: ["32x32#", :png] }

This will convert the "thumb" style to a 32x32 square in PNG format, regardless of what was uploaded. If the format is not specified, it is kept the same (e.g. JPGs will remain JPGs). Paperclip::Thumbnail uses ImageMagick to process images; ImageMagick's geometry documentation has more information on the accepted style formats.

For more fine-grained control of the conversion process, source_file_options and convert_options can be used to pass flags and settings directly to ImageMagick's powerful Convert tool, documented here. For example:

has_attached_file :image, styles: { regular: ['800x800>', :png]}, 
    source_file_options: { regular: "-density 96 -depth 8 -quality 85" },
    convert_options: { regular: "-posterize 3"}

ImageMagick supports a number of environment variables for controlling its resource limits. For example, you can enforce memory or execution time limits by setting the following variables in your application's process environment:

  • MAGICK_MEMORY_LIMIT=128MiB
  • MAGICK_MAP_LIMIT=64MiB
  • MAGICK_TIME_LIMIT=30

For a full list of variables and description, see ImageMagick's resources documentation.


Custom Attachment Processors

You can write your own custom attachment processors to carry out tasks like adding watermarks, compressing images, or encryptin