- Requirements
- Installation
- Quick Start
- Usage
- Validations
- Security Validations
- Defaults
- Migrations
- Storage
- Post Processing
- Events
- URI Obfuscation
- MD5 Checksum / Fingerprint
- File Preservation for Soft-Delete
- Custom Attachment Processors
- Dynamic Configuration
- Logging
- Deployment
- Testing
- Contributing
- License
- About thoughtbot
Paperclip is intended as an easy file attachment library for ActiveRecord. The intent behind it was to keep setup as easy as possible and to treat files as much like other attributes as possible. This means they aren't saved to their final locations on disk, nor are they deleted if set to nil, until ActiveRecord::Base#save is called. It manages validations based on size and presence, if required. It can transform its assigned image into thumbnails if needed, and the prerequisites are as simple as installing ImageMagick (which, for most modern Unix-based systems, is as easy as installing the right packages). Attached files are saved to the filesystem and referenced in the browser by an easily understandable specification, which has sensible and useful defaults.
See the documentation for has_attached_file
in Paperclip::ClassMethods
for
more detailed options.
The complete RDoc is online.
Paperclip now requires Ruby version >= 2.0.0 and Rails version 3.2, >= 4.1 (Only if you're going to use Paperclip with Ruby on Rails.)
If you're still on Ruby 1.8.7 or Ruby on Rails 2.3.x, you can still use Paperclip 2.7.x with your project. Also, everything in this README might not apply to your version of Paperclip, and you should read the README for version 2.7 instead.
ImageMagick must be installed and Paperclip must have access to it. To ensure
that it does, on your command line, run which convert
(one of the ImageMagick
utilities). This will give you the path where that utility is installed. For
example, it might return /usr/local/bin/convert
.
Then, in your environment config file, let Paperclip know to look there by adding that directory to its path.
In development mode, you might add this line to config/environments/development.rb)
:
Paperclip.options[:command_path] = "/usr/local/bin/"
If you're on Mac OS X, you'll want to run the following with Homebrew:
brew install imagemagick
If you are dealing with pdf uploads or running the test suite, you'll also need to install GhostScript. On Mac OS X, you can also install that using Homebrew:
brew install gs
If you're on Ubuntu (or any Debian base Linux distribution), you'll want to run the following with apt-get:
sudo apt-get install imagemagick -y
The Unix file
command is required for content-type checking.
This utility isn't available in Windows, but comes bundled with Ruby Devkit,
so Windows users must make sure that the devkit is installed and added to the system PATH
.
Manual Installation
If you're using Windows 7+ as a development environment, you may need to install the file.exe
application manually. The file spoofing
system in Paperclip 4+ relies on this; if you don't have it working, you'll receive Validation failed: Upload file has an extension that does not match its contents.
errors.
To manually install, you should perform the following:
Download & install
file
from this URL
To test, you can use the image below:
Next, you need to integrate with your environment - preferably through the PATH
variable, or by changing your config/environments/development.rb
file
PATH
1. Click "Start"
2. On "Computer", right-click and select "Properties"
3. In Properties, select "Advanced System Settings"
4. Click the "Environment Variables" button
5. Locate the "PATH" var - at the end, add the path to your newly installed `file.exe` (typically `C:\Program Files (x86)\GnuWin32\bin`)
6. Restart any CMD shells you have open & see if it works
OR
Environment
1. Open `config/environments/development.rb`
2. Add the following line: `Paperclip.options[:command_path] = 'C:\Program Files (x86)\GnuWin32\bin'`
3. Restart your Rails server
Either of these methods will give your Rails setup access to the file.exe
functionality, thus providing the ability to check the contents of a file (fixing the spoofing problem)
Paperclip is distributed as a gem, which is how it should be used in your app.
Include the gem in your Gemfile:
gem "paperclip", "~> 4.3"
Or, if you want to get the latest, you can get master from the main paperclip repository:
gem "paperclip", git: "git://github.com/thoughtbot/paperclip.git"
If you're trying to use features that don't seem to be in the latest released gem, but are mentioned in this README, then you probably need to specify the master branch if you want to use them. This README is probably ahead of the latest released version if you're reading it on GitHub.
For Non-Rails usage:
class ModuleName < ActiveRecord::Base
include Paperclip::Glue
...
end
Rails 3
class User < ActiveRecord::Base
attr_accessible :avatar
has_attached_file :avatar, styles: { medium: "300x300>", thumb: "100x100>" }, default_url: "/images/:style/missing.png"
validates_attachment_content_type :avatar, content_type: /\Aimage\/.*\Z/
end
Rails 4
class User < ActiveRecord::Base
has_attached_file :avatar, styles: { medium: "300x300>", thumb: "100x100>" }, default_url: "/images/:style/missing.png"
validates_attachment_content_type :avatar, content_type: /\Aimage\/.*\Z/
end
class AddAvatarColumnsToUsers < ActiveRecord::Migration
def up
add_attachment :users, :avatar
end
def down
remove_attachment :users, :avatar
end
end
(Or you can use the Rails migration generator: rails generate paperclip user avatar
)
<%= form_for @user, url: users_path, html: { multipart: true } do |form| %>
<%= form.file_field :avatar %>
<% end %>
<%= simple_form_for @user, url: users_path do |form| %>
<%= form.input :avatar, as: :file %>
<% end %>
Rails 3
def create
@user = User.create( params[:user] )
end
Rails 4
def create
@user = User.create( user_params )
end
private
# Use strong_parameters for attribute whitelisting
# Be sure to update your create() and update() controller methods.
def user_params
params.require(:user).permit(:avatar)
end
<%= image_tag @user.avatar.url %>
<%= image_tag @user.avatar.url(:medium) %>
<%= image_tag @user.avatar.url(:thumb) %>
Set the attribute to nil
and save.
@user.avatar = nil
@user.save
The basics of Paperclip are quite simple: Declare that your model has an
attachment with the has_attached_file
method, and give it a name.
Paperclip will wrap up to four attributes (all prefixed with that attachment's name, so you can have multiple attachments per model if you wish) and give them a friendly front end. These attributes are:
<attachment>_file_name
<attachment>_file_size
<attachment>_content_type
<attachment>_updated_at
By default, only <attachment>_file_name
is required for Paperclip to operate.
You'll need to add <attachment>_content_type
in case you want to use content type
validation.
More information about the options passed to has_attached_file
is available in the
documentation of Paperclip::ClassMethods
.
For validations, Paperclip introduces several validators to validate your attachment:
AttachmentContentTypeValidator
AttachmentPresenceValidator
AttachmentSizeValidator
Example Usage:
validates :avatar, attachment_presence: true
validates_with AttachmentPresenceValidator, attributes: :avatar
validates_with AttachmentSizeValidator, attributes: :avatar, less_than: 1.megabytes
Validators can also be defined using the old helper style:
validates_attachment_presence
validates_attachment_content_type
validates_attachment_size
Example Usage:
validates_attachment_presence :avatar
Lastly, you can also define multiple validations on a single attachment using validates_attachment
:
validates_attachment :avatar, presence: true,
content_type: { content_type: "image/jpeg" },
size: { in: 0..10.kilobytes }
NOTE: Post-processing will not even start if the attachment is not valid according to the validations. Your callbacks and processors will only be called with valid attachments.
class Message < ActiveRecord::Base
has_attached_file :asset, styles: {thumb: "100x100#"}
before_post_process :skip_for_audio
def skip_for_audio
! %w(audio/ogg application/ogg).include?(asset_content_type)
end
end
If you have other validations that depend on assignment order, the recommended course of action is to prevent the assignment of the attachment until afterwards, then assign manually:
class Book < ActiveRecord::Base
has_attached_file :document, styles: {thumbnail: "60x60#"}
validates_attachment :document, content_type: { content_type: "application/pdf" }
validates_something_else # Other validations that conflict with Paperclip's
end
class BooksController < ApplicationController
def create
@book = Book.new(book_params)
@book.document = params[:book][:document]
@book.save
respond_with @book
end
private
def book_params
params.require(:book).permit(:title, :author)
end
end
A note on content_type validations and security
You should ensure that you validate files to be only those MIME types you explicitly want to support. If you don't, you could be open to XSS attacks if a user uploads a file with a malicious HTML payload.
If you're only interested in images, restrict your allowed content_types to image-y ones:
validates_attachment :avatar,
content_type: { content_type: ["image/jpeg", "image/gif", "image/png"] }
Paperclip::ContentTypeDetector
will attempt to match a file's extension to an
inferred content_type, regardless of the actual contents of the file.
Thanks to a report from Egor Homakov we have taken steps to prevent people from spoofing Content-Types and getting data you weren't expecting onto your server.
NOTE: Starting at version 4.0.0, all attachments are required to include a content_type validation, a file_name validation, or to explicitly state that they're not going to have either. Paperclip will raise an error if you do not do this.
class ActiveRecord::Base
has_attached_file :avatar
# Validate content type
validates_attachment_content_type :avatar, content_type: /\Aimage/
# Validate filename
validates_attachment_file_name :avatar, matches: [/png\Z/, /jpe?g\Z/]
# Explicitly do not validate
do_not_validate_attachment_file_type :avatar
end
This keeps Paperclip secure-by-default, and will prevent people trying to mess with your filesystem.
NOTE: Also starting at version 4.0.0, Paperclip has another validation that
cannot be turned off. This validation will prevent content type spoofing. That
is, uploading a PHP document (for example) as part of the EXIF tags of a
well-formed JPEG. This check is limited to the media type (the first part of the
MIME type, so, 'text' in text/plain
). This will prevent HTML documents from
being uploaded as JPEGs, but will not prevent GIFs from being uploaded with a
.jpg
extension. This validation will only add validation errors to the form. It
will not cause errors to be raised.
This can sometimes cause false validation errors in applications that use custom
file extensions. In these cases you may wish to add your custom extension to the
list of file extensions allowed for your MIME type configured by the mime-types
gem:
# Allow ".foo" as an extension for files with the MIME type "text/plain".
text_plain = MIME::Types["text/plain"].first
text_plain.extensions << "foo"
MIME::Types.index_extensions text_plain
Global defaults for all your Paperclip attachments can be defined by changing the Paperclip::Attachment.default_options Hash. This can be useful for setting your default storage settings per example so you won't have to define them in every has_attached_file
definition.
If you're using Rails, you can define a Hash with default options in config/application.rb
or in any of the config/environments/*.rb
files on config.paperclip_defaults. These will get merged into Paperclip::Attachment.default_options
as your Rails app boots. An example:
module YourApp
class Application < Rails::Application
# Other code...
config.paperclip_defaults = { storage: :fog, fog_credentials: { provider: "Local", local_root: "#{Rails.root}/public"}, fog_directory: "", fog_host: "localhost"}
end
end
Another option is to directly modify the Paperclip::Attachment.default_options
Hash - this method works for non-Rails applications or is an option if you prefer to place the Paperclip default settings in an initializer.
An example Rails initializer would look something like this:
Paperclip::Attachment.default_options[:storage] = :fog
Paperclip::Attachment.default_options[:fog_credentials] = { provider: "Local", local_root: "#{Rails.root}/public"}
Paperclip::Attachment.default_options[:fog_directory] = ""
Paperclip::Attachment.default_options[:fog_host] = "http://localhost:3000"
Paperclip defines several migration methods which can be used to create the necessary columns in your model. There are two types of helper methods to aid in this, as follows:
The attachment
helper can be used when creating a table:
class CreateUsersWithAttachments < ActiveRecord::Migration
def up
create_table :users do |t|
t.attachment :avatar
end
end
# This is assuming you are only using the users table for Paperclip attachment. Drop with care!
def down
drop_table :users
end
end
You can also use the change
method, instead of the up
/down
combination above, as shown below:
class CreateUsersWithAttachments < ActiveRecord::Migration
def change
create_table :users do |t|
t.attachment :avatar
end
end
end
Alternatively, the add_attachment
and remove_attachment
methods can be used to add new Paperclip columns to an existing table:
class AddAttachmentColumnsToUsers < ActiveRecord::Migration
def up
add_attachment :users, :avatar
end
def down
remove_attachment :users, :avatar
end
end
Or you can do this with the change
method:
class AddAttachmentColumnsToUsers < ActiveRecord::Migration
def change
add_attachment :users, :avatar
end
end
Vintage syntax (such as t.has_attached_file
and drop_attached_file
) is still supported in
Paperclip 3.x, but you're advised to update those migration files to use this new syntax.
Paperclip ships with 3 storage adapters:
- File Storage
- S3 Storage (via
aws-sdk
oraws-sdk-v1
) - Fog Storage
If you would like to use Paperclip with another storage, you can install these gems along side with Paperclip:
The files that are assigned as attachments are, by default, placed in the
directory specified by the :path
option to has_attached_file
. By default, this
location is :rails_root/public/system/:class/:attachment/:id_partition/:style/:filename
.
This location was chosen because, on standard Capistrano deployments, the
public/system
directory is symlinked to the app's shared directory, meaning it
will survive between deployments. For example, using that :path
, you may have a
file at
/data/myapp/releases/20081229172410/public/system/users/avatar/000/000/013/small/my_pic.png
NOTE: This is a change from previous versions of Paperclip, but is overall a safer choice for the default file store.
You may also choose to store your files using Amazon's S3 service. To do so, include
the aws-sdk
gem in your Gemfile:
gem 'aws-sdk', '>= 2.0.0' # If using paperclip `master` (upcoming v5.0)
or
gem 'aws-sdk-v1' # If using paperclip <= v4.3.1
And then you can specify using S3 from has_attached_file
.
You can find more information about configuring and using S3 storage in
the Paperclip::Storage::S3
documentation.
NOTE: If upgrading aws-sdk from v1.x to v2.x, be sure to read the UPGRADING guide.
Files on the local filesystem (and in the Rails app's public directory) will be
available to the internet at large. If you require access control, it's
possible to place your files in a different location. You will need to change
both the :path
and :url
options in order to make sure the files are unavailable
to the public. Both :path
and :url
allow the same set of interpolated
variables.
Paperclip supports an extensible selection of post-processors. When you define
a set of styles for an attachment, by default it is expected that those
"styles" are actually "thumbnails." However, you can do much more than just
thumbnail images. By defining a subclass of Paperclip::Processor, you can
perform any processing you want on the files that are attached. Any file in
your Rails app's lib/paperclip
and lib/paperclip_processors
directories is
automatically loaded by Paperclip, allowing you to easily define custom
processors. You can specify a processor with the :processors
option to
has_attached_file
:
has_attached_file :scan, styles: { text: { quality: :better } },
processors: [:ocr]
This would load the hypothetical class Paperclip::Ocr, which would have the hash "{ quality: :better }" passed to it along with the uploaded file. For more information about defining processors, see Paperclip::Processor.
The default processor is Paperclip::Thumbnail. For backward compatibility reasons, you can pass a single geometry string or an array containing a geometry and a format that the file will be converted to, like so:
has_attached_file :avatar, styles: { thumb: ["32x32#", :png] }
This will convert the "thumb" style to a 32x32 square in PNG format, regardless of what was uploaded. If the format is not specified, it is kept the same (i.e. JPGs will remain JPGs). For more information on the accepted style formats, see here.
Multiple processors can be specified, and they will be invoked in the order
they are defined in the :processors
array. Each successive processor will
be given the result of the previous processor's execution. All processors will
receive the same parameters, which are defined in the :styles
hash.
For example, assuming we had this definition:
has_attached_file :scan, styles: { text: { quality: :better } },
processors: [:rotator, :ocr]
then both the :rotator processor and the :ocr processor would receive the
options { quality: :better }
. This parameter may not mean anything to one
or more or the processors, and they are expected to ignore it.
NOTE: Because processors operate by turning the original attachment into the styles, no processors will be run if there are no styles defined.
If you're interested in caching your thumbnail's width, height and size in the database, take a look at the paperclip-meta gem.
Also, if you're interested in generating the thumbnail on-the-fly, you might want to look into the attachment_on_the_fly gem.
Before and after the Post Processing step, Paperclip calls back to the model
with a few callbacks, allowing the model to change or cancel the processing
step. The callbacks are before_post_process
and after_post_process
(which
are called before and after the processing of each attachment), and the
attachment-specific before_<attachment>_post_process
and
after_<attachment>_post_process
. The callbacks are intended to be as close to
normal ActiveRecord callbacks as possible, so if you return false (specifically
- returning nil is not the same) in a before_filter
, the post processing step
will halt. Returning false in an after_filter
will not halt anything, but you
can access the model and the attachment if necessary.
NOTE: Post processing will not even start if the attachment is not valid according to the validations. Your callbacks and processors will only be called with valid attachments.
class Message < ActiveRecord::Base
has_attached_file :asset, styles: {thumb: "100x100#"}
before_post_process :skip_for_audio
def skip_for_audio
! %w(audio/ogg application/ogg).include?(asset_content_type)
end
end
Paperclip has an interpolation called :hash
for obfuscating filenames of
publicly-available files.
Example Usage:
has_attached_file :avatar, {
url: "/system/:hash.:extension",
hash_secret: "longSecretString"
}
The :hash
interpolation will be replaced with a unique hash made up of whatever
is specified in :hash_data
. The default value for :hash_data
is ":class/:attachment/:id/:style/:updated_at"
.
:hash_secret
is required - an exception will be raised if :hash
is used without :hash_secret
present.
For more on this feature, read the author's own explanation
An MD5 checksum of the original file assigned will be placed in the model if it has an attribute named fingerprint. Following the user model migration example above, the migration would look like the following:
class AddAvatarFingerprintColumnToUser < ActiveRecord::Migration
def up
add_column :users, :avatar_fingerprint, :string
end
def down
remove_column :users, :avatar_fingerprint
end
end
An option is available to preserve attachments in order to play nicely with soft-deleted models. (acts_as_paranoid, paranoia, etc.)
has_attached_file :some_attachment, {
preserve_files: "true",
}
This will prevent some_attachment
from being wiped out when the model gets destroyed, so it will still exist when the object is restored later.
Custom attachment processors can be implemented and their only requirement is
to inherit from Paperclip::Processor
(see lib/paperclip/processor.rb
).
For example, when :styles
are specified for an image attachment, the
thumbnail processor (see lib/paperclip/thumbnail.rb
) is loaded without having
to specify it as a :processor
parameter to has_attached_file
. When any
other processor is defined, it must be called out in the :processors
parameter if it is to be applied to the attachment. The thumbnail processor
uses the ImageMagick convert
command to do the work of resizing image
thumbnails. It would be easy to create a custom processor that watermarks
an image using ImageMagick's composite
command. Following the
implementation pattern of the thumbnail processor would be a way to implement a
watermark processor. All kinds of attachment processors can be created;
a few utility examples would be compression and encryption processors.
Callable objects (lambdas, Procs) can be used in a number of places for dynamic configuration throughout Paperclip. This strategy exists in a number of components of the library but is most significant in the possibilities for allowing custom styles and processors to be applied for specific model instances, rather than applying defined styles and processors across all instances.
Imagine a user model that had different styles based on the role of the user.
Perhaps some users are bosses (e.g. a User model instance responds to #boss?
)
and merit a bigger avatar thumbnail than regular users. The configuration to
determine what style parameters are to be used based on the user role might
look as follows where a boss will receive a 300x300
thumbnail otherwise a
100x100
thumbnail will be created.
class User < ActiveRecord::Base
has_attached_file :avatar, styles: lambda { |attachment| { thumb: (attachment.instance.boss? ? "300x300>" : "100x100>") } }
end
Another contrived example is a user model that is aware of which file processors
should be applied to it (beyond the implied thumbnail
processor invoked when
:styles
are defined). Perhaps we have a watermark processor available and it is
only used on the avatars of certain models. The configuration for this might be
where the instance is queried for which processors should be applied to it.
Presumably some users might return [:thumbnail, :watermark]
for its
processors, where a defined watermark
processor is invoked after the
thumbnail
processor already defined by Paperclip.
class User < ActiveRecord::Base
has_attached_file :avatar, processors: lambda { |instance| instance.processors }
attr_accessor :processors
end
By default, Paperclip outputs logging according to your logger level. If you want to disable logging (e.g. during testing) add this into your environment's configuration:
Your::Application.configure do
...
Paperclip.options[:log] = false
...
end
More information in the rdocs
Paperclip is aware of new attachment styles you have added in previous deploys. The only thing you should do after each deployment is to call
rake paperclip:refresh:missing_styles
. It will store current attachment styles in RAILS_ROOT/public/system/paperclip_attachments.yml
by default. You can change it by:
Paperclip.registered_attachments_styles_path = '/tmp/config/paperclip_attachments.yml'
Here is an example for Capistrano:
namespace :deploy do
desc "build missing paperclip styles"
task :build_missing_paperclip_styles do
on roles(:app) do
within release_path do
with rails_env: fetch(:rails_env) do
execute :rake, "paperclip:refresh:missing_styles"
end
end
end
end
end
after("deploy:compile_assets", "deploy:build_missing_paperclip_styles")
Now you don't have to remember to refresh thumbnails in production every time you add a new style. Unfortunately, it does not work with dynamic styles - it just ignores them.
If you already have a working app and don't want rake paperclip:refresh:missing_styles
to refresh old pictures, you need to tell
Paperclip about existing styles. Simply create a paperclip_attachments.yml
file by hand. For example:
class User < ActiveRecord::Base
has_attached_file :avatar, styles: { thumb: 'x100', croppable: '600x600>', big: '1000x1000>' }
end
class Book < ActiveRecord::Base
has_attached_file :cover, styles: { small: 'x100', large: '1000x1000>' }
has_attached_file :sample, styles: { thumb: 'x100' }
end
Then in RAILS_ROOT/public/system/paperclip_attachments.yml
:
---
:User:
:avatar:
- :thumb
- :croppable
- :big
:Book:
:cover:
- :small
- :large
:sample:
- :thumb
Paperclip provides rspec-compatible matchers for testing attachments. See the documentation on Paperclip::Shoulda::Matchers for more information.
Parallel Tests
Because of the default path
for Paperclip storage, if you try to run tests in
parallel, you may find that files get overwritten because the same path is being
calculated for them in each test process. While this fix works for
parallel_tests, a similar concept should be used for any other mechanism for
running tests concurrently.
if ENV['PARALLEL_TEST_GROUPS']
Paperclip::Attachment.default_options[:path] = ":rails_root/public/system/:rails_env/#{ENV['TEST_ENV_NUMBER'].to_i}/:class/:attachment/:id_partition/:filename"
else
Paperclip::Attachment.default_options[:path] = ":rails_root/public/system/:rails_env/:class/:attachment/:id_partition/:filename"
end
The important part here being the inclusion of ENV['TEST_ENV_NUMBER']
, or a
similar mechanism for whichever parallel testing library you use.
Integration Tests
Using integration tests with FactoryGirl may save multiple copies of
your test files within the app. To avoid this, specify a custom path in
the config/environments/test.rb
like so:
Paperclip::Attachment.default_options[:path] = "#{Rails.root}/spec/test_files/:class/:id_partition/:style.:extension"
Then, make sure to delete that directory after the test suite runs by adding
this to spec_helper.rb
.
config.after(:suite) do
FileUtils.rm_rf(Dir["#{Rails.root}/spec/test_files/"])
end
If you'd like to contribute a feature or bugfix: Thanks! To make sure your fix/feature has a high chance of being included, please read the following guidelines:
- Post a pull request.
- Make sure there are tests! We will not accept any patch that is not tested. It's a rare time when explicit tests aren't needed. If you have questions about writing tests for paperclip, please open a GitHub issue.
Please see CONTRIBUTING.md
for more details on contributing and running test.
Thank you to all the contributors!
Paperclip is Copyright © 2008-2015 thoughtbot, inc. It is free software, and may be redistributed under the terms specified in the MIT-LICENSE file.
Paperclip is maintained and funded by thoughtbot. The names and logos for thoughtbot are trademarks of thoughtbot, inc.
We love open source software! See our other projects or hire us to design, develop, and grow your product.