I have set the download method to private. The location of the files is outside the doc root.
I unchecked "view uploaded files" for anon users.

I logged out, cleared the cache, cleared private date and sessions, restarted the browser but I am still able to access the files through:
http:///system/files/images/test.gif

Joep

-----------------------------------------
CompuBase, websites and webdesign

Comments

Anonymous’s picture

Anonymous (not verified) commented

For some reason the domain name was filtered out. So here it is again with code tags.

http://somedomain.com/system/files/images/test.gif

Anonymous’s picture

Anonymous (not verified) commented

I just found out that I was not correct.
The hotlinkink prevention does work for attached files.
However, it does NOT work for image content types, the image can be directly accessed.

I am not sure whether this is a bug in the file system or a bug in the image module.

chx’s picture

chx commented
Project: Drupal core » Image
Version: 5.1 » 5.x-1.x-dev
Component: file system » image.module
drewish’s picture

drewish commented
Status: Active » Closed (won't fix)

i'm marking this won't fix because it's not a bug. image and the core's file are working correctly. if you want to prevent hot linking you need to use apache's features to check the referer.

Anonymous’s picture

Anonymous (not verified) commented

I have always assumed that the private download method was designed for that matter.
It is rather confusing that regular attachments cannot be hotlinked when using private download method and images attached to image nodes do can be hotlinked.