I’m trying to make a gallery where I can serve images to an authenticated user, but if the user tries going directly to the images at http://foo.com/images/thumb.jpg the image should not be found. I’m trying to not put images into the database.

Any ideas on how to do this?

First, I think you’ll have to disable any direct pass-thru that might be setup on your webserver. Typically, most people configure their Apache vhost to serve up images, javascript files, and .html files directly without handing the request to your web app. But in this case, you’d need your app involved so that you can perform the authentication check.

To actually perform the authentication, you can use the new http authentication in Rails 2.0, or use something like the restful_authentication plugin to require authentication before any action in your images controller. Depends on your situation which one would be better.

I’m familiar with restful_authentication and planned on using it. I’m going to be deploying this to DreamHost (fcgi). My question really pertains more to either how or a good reference to where I could find out how to disable the passthrough for images. Even if I could do it for just .jpg files.

Could this be controlled by either an .htaccess file or the dispatch.fcgi file?

Have a look at the send_data method. Using send_data, you can put your image files in a non-publicly accessible directory and serve them via a controller action that is authenticated.