Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By webcomm on
I have my "Download method" in the File system config set to private. But it looks like anonymous users can still access files via URLs like /system/files/some_file.pdf
Looking at the /admin/user/permissions page, I don't see anything that can be used to control access to files via these /system/files/ URLs. Perhaps I should use htaccess to direct people away from URLs with '/system/files/' in them? That would effectively prevent everyone from accessing the files via that type of URL, so I would then need to write a module (with built-in access controls) to allow select roles to access the files via some other URL format. I'm a little surprised that would be necessary, though. Is there no setting in the 6x core to restrict access via these /system/files/ URLs? Am I missing it?
Thank you,
Ryan
Comments
Setting the download method
Setting the download method to "Private" doesn't have any effect by itself.
It's unfortunately named, and things were cleaned up a lot in 7. If possible, I recommend using 7 for any sort of trickiness around public/private files.
If you're stuck in 6 though, what the private download setting does do, is fire off an extra event, hook_download() I think, that gives you an opportunity to verify that the user can download the requested file. So once you implement this hook, you can get real private downloads.
Also check out http://drupal.org/project/private_download, especially if you're not a coder.
"Setting the download method
"Setting the download method to "Private" doesn't have any effect by itself."
I understood that this was a bit of a misnomer and "private" just means outside the install directory. However, I figured there must be some setting elsewhere to control file access per user. In my post I mentioned I'm using the private method in case that might be pertinent in some other way I wasn't aware of.
"It's unfortunately named, and things were cleaned up a lot in 7. If possible, I recommend using 7 for any sort of trickiness around public/private files."
I'm hesitant, for the moment. New releases -> new bugs. But if Drupal 7 has per-user file access (or even node access) in the core, I might consider it. : )
"If you're stuck in 6 though, what the private download setting does do, is fire off an extra event, hook_download() I think, that gives you an opportunity to verify that the user can download the requested file. So once you implement this hook, you can get real private downloads."
hook_file_download() checks for "access content", but that's it, and that's hard-coded in. In any case, I have no doubt I can grant access to the files in a fine-grained way in my module by wrapping something around file_transfer(). I'm just a little surprised that, meanwhile, I need to use htaccess to block access via the /system/files/ URLs, if indeed that's the case.
"Also check out http://drupal.org/project/private_download, especially if you're not a coder."
Thanks, I'm a coder. What I'll be working towards, in the simplest way possible, is per-user file access. I believe there are some existing modules and/or combinations of modules that make this possible already, but I'm spooked by some of the bug reports I see in those modules. At first glance I don't think the private_download module will be useful in this case.
Thx.
I wasn't clear in that last
I wasn't clear in that last paragraph. What I meant is, I'll just go ahead and write a module... a really simple one hopefully.
you're right
It's hook_file_download(). The basic example just checks user_access(), but you're free to write a more complicated check. The return values are a little strange too, -1 to deny access, or an array of headers to grant it.
Private files
Hi webcomm,
please keep us posted on your progress - I would love to move to D7, but am using too many other modules that aren't ready for 7 yet..
Cheers,
_
You actually don't need a module for this. Keep the file system public, use a filefield, and implement the method described at http://drupal.org/node/540754. In d7 it's much improved-- filefield is in core and you can select public/private per fielfield right in the settings for the field itself.
subscribe
following this..
Subscribe
Subscribe