I need to let users upload confidential documents (PDFs, .DOC files etc.), and then have these documents only downloaded by authenticated users.
The module Taxonomy Access Control works great for managing access to Drupal generated pages but does nothing about direct access to uploaded files. If someone discovers the URL of an uploaded file they can download it and Drupal never knows. I understand that it may be difficult for anonymous users to discover the URLs, but that's only security by obscurity and it's not fully satisfactory.
I also tried the module SecureSite and found that it doesn't actually seem to secure a site per se, it seems to only secure Drupal generated pages like the TAC module. I secured the whole site with SecureSite but was still able to pick off individual uploaded files.
Now of course I can password protect a directory but I want authenticated users to be able to get at the files without a second login.
I've been searching this site for for a solution and I do see that others have raised the same issue, but I have not found a solution.
Comments
You could use the "Private"
You could use the "Private" download method in "/admin/settings/file-system", and have the files stored somewhere higher than your public web directory, so that they cannot be accessed directly from the web but only served through Drupal.
With the Private download method, Drupal will serve uploaded files as "/system/files/filename" (a virtual directory -- doesn't really exist.)
Those virtual "/system/files/filename" paths will be accessible to anyone who has permission to view the nodes where the files were uploaded (other users will get a "not found" error). So, you still need a node access module to restrict access to those nodes.
Great, Thanks!
A private file system seems to do just what I want. Instead of moving my files directory I protected it using .htaccess as explained here. It's working fine. I'm a little embarrassed that I didn't find this myself.
I have seen some people on this site strongly recommend using a public file system rather than private. Is that because a private file system has slower performance? I think I can live with that as the site I'm doing will probably not ever have to support more than a few hundred members.
I appreciate your help.
I'm new to Drupal but I can already see that it's great.