Public v. Private download method...
ubersoft - December 21, 2006 - 22:06
When do you choose one over the other?
What exactly does "public download" do? When would you decide to use it (other than to use the color picker tool in the Garland theme in D5)? I know that private is supposed to be better, security-wise, but if you're the only account with the permissions to upload and download files, does it really matter?
Just wondering.
I am not qualified to give a
I am not qualified to give a good answer to your question, but I've had some images issues wit image.module when setting file transfer to public. So I guess it can happen with some other modules as well.
The "public" download method
The "public" download method gives file URLs straight to where the file is stored. Drupal cannot offer any access control there. If you have the link you download the file. But it is a bit faster and trouble-free.
The "private" download method gives URLs of the form "/system/files/filename". These are not real URLs, they are produced by Drupal. The real files can be even outside your web documents root, completely inaccessible. So, Drupal can allow or not the downloads for different users in different ways.
...
Slightly higher load on your server as all access to files is processed through Drupal but people can't figure out your img naming standard and browse your image directory as well.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
Interesting...
so if it's set to private, this happens with *all* images on the site? So if someone was browsing by your site and tried to right-click on an image to download it, they wouldn't be able to?
No, no leech protection or
No, no leech protection or link stealing protection. These must be done in other ways.
With Drupal's private method, if they have permission to see it then they can download it. Think of it as support for premium or paid files. Or files "only for the inner sanctum" of a community.
Ahhhh...
OK. Interesting. A built-in "private content" switch.
Yes, you can always post a
Yes, you can always post a "system/files/filename" link but if the user is not logged in and doesn't have the permission the link won't work.
Apache vs Drupal
one isn't necessarily better than the other. The difference is in which software controls access to them.
Use private downloads when you want Drupal to care about or control the downloads eg access control by Drupal user id etc.
Use public when you want to control access to them them with Apache configuration directives, or when you don't care about any control and just want the best performance.
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
Also note that the setting
Also note that the setting controls whether Drupal will produce links of the form files/filename or system/files/filename for attachments, images etc. So even if you use "private", the public URL may still be accessible to a savvy user - unless you explicitly prevent access either by locating the files folder outside the web document root, or by configuring the web server to deny direct access to its contents. Alternatively, if you give the files folder and obscure filename then it probably won't be found...
Can't change settings from public to private
Apologies if this post is in the wrong section, but I've been searching the forums for a while and can't seem to find anyone who has experienced the problem I currently have. I'd like to use private downloads, but whenever I try to save the configuration at admin>settings>file-system, the page returned is "Page Not Found."
This goes for changing anything in the file system settings (including the directory). Any ideas on what's causing it?
As a workaround, I've forced a public directory via settings.php, and the fix isn't urgent, but I need to get private downloads going at some point. Any help is appreciated.
Thanks. By the way, I'm using: drupal 5.0 rc1
This sounds somehow similar
This sounds somehow similar to this problem: http://drupal.org/node/105483 (not solved yet).
Can you give more information about your PHP version, your $base_url, or anything unusual about your domain name similar to that other case?
More info
Thanks for the response. I'm running this at the root of my domain and I don't think there is anything strange about the installation otherwise. I had run a test version at the root/d5 level and had the same issue. Everything else in drupal works just fine; including all of the menus at administer/settings. I also tried turning off clean urls, to no avail.
Here's the rest of the info:
Drupal 5.0-RC-1
MySQL database 4.0.27
PHP 4.4.3
Unicode library PHP Mbstring Extension
Web server Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.3 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
i still don't understand.
i still don't understand. So, i created a user with uid=4 and, using IMCE, uploaded a file named test.pdf.
Now, drupal stores it as
sitename/system/files/u4/test.pdf
but, it seems that even a user who's not logged in can access the file by just typing the link in the browser...??
how do i change that? my drupal file settings is set to 'private' but that obviously didn't help...
how do i set the permission for how files (not nodes) are accessed?
thanks!
One more thing...
private downloads just puts Drupal in charge of access control, whereas with public downloads Drupal has no say in the matter.
So now that you have private downloads set up and Drupal is in charge, have you checked your Drupal user permissions for the upload module at: /admin/user/access ? You may still be allowing anonymous users to "view uploaded files".
--
Anton
New to Drupal? | Troubleshooting FAQ
Example knowledge base built with Drupal
(no title)
If you install an access control module (such as Taxonoy Access Control or Organic Groups), you can do more that.
When some users are not allowed to see a node, then the "system/files/filename" link for any file uploaded to that node won't work for those users.