By bov on

Hi there, a couple of questions I hope someone will be able to answer. I’m considering using Drupal as a content management system for a major University project that I’m working on. I was wondering if it’s possible to configure Drupal to allow only certain people to be able to access certain areas of the management system. Ideally I would like to have the people with the correct password be able to go to an area and be able to download and upload files. My other question is how secure is Drupal. My boss wants to know if they should install Drupal on the University server or set it up on some web space I can provide – I have a reseller account with a reputable company.

Cheers, Bov

Comments

killes@www.drop.org’s picture

killes@www.drop.org commented

Drupal has a very flexible permissions sytem. Also each user has his own password. Drupal is very secure (at elast we are not aware of any exploits ;). Security depends also on the operating system, apache settings, and php settings.
--
If you have troubles with a particular contrib project, please consider filing a support request. Thanks. And, by the way, Drupal 4.5 does not work with PHP 5.

--
Drupal services
My Drupal services

bov’s picture

bov commented

It’s actually the company that I have my reseller account with that will be physically hosting Drupal– so I don’t have access to the backend (I’m assuming security is good with the company as I’m constantly being informed about scripting vulnerabilities).

Do you know if you can set things up to allow 8 users to have access to the system and stop others from registering or gaining access?

I have to make a decision in the next day or so whether to use Drupal or not.

Cheers

sepeck’s picture

sepeck commented

Turning off automatic registration is easy and can be configured with a check box. Your best bet is to setup a local test site and play with it for a day or two.

-sp
---------
Test site...always start with a test site.
Drupal Best Practices Guide

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

pamphile’s picture

pamphile commented

I have a similar question here... For a non profit

Restricting access to images/files for members-only users
http://drupal.org/node/20329

Wholesale trade lead directory

pamphile’s picture

pamphile commented

I restricted login access to only members. But apparently it only works with text content. That's not good enough.

We want images and files to be restricted too.

I created a function and code that should do this.. But it isn't working.

I tried to paste some code here, but Drupal said the code looked dangerous.
so the code is here: http://01debug.com/auth.txt

Any ideas who I could get this code to work... ?

http://01debug.com

leblank@cyberocity.com’s picture

leblank@cyberocity.com commented

I thought there was a checkbox for viewing images yes/no assigned by role in user permissions ... like one person suggested, set up a site and play with it. You can create a new role that can only see pictures if you like ... but you have to find the appropriate interface for each discrete function.

killes@www.drop.org’s picture

killes@www.drop.org commented

What you need to do is to use the "private download" option for file storage in the settings menu. You also need to have a module that implements the _file_download hook to check the user's permissions.

Note that private downloads will cause a higher load on your server.
--
Drupal services
My Drupal services

--
Drupal services
My Drupal services

pamphile’s picture

pamphile commented

The "private download" is turned on.
Now all uploaded files and images are requested like this:
htp://domain.com/files=text.txt
htp://domain.com/files=image.gif

Anonymous users have access to NO content.

However, anonymous users can still download files and images ! That shouldn't happen...

If there is something I am missing, someone please tell me :)

Can you explain what you mean by:
"You also need to have a module that implements the _file_download hook to check the user's permissions."

Marcel
http://01webmasters.com

killes@www.drop.org’s picture

killes@www.drop.org commented

Well, I can't really explain it better. Maybe you want to read the code?

http://drupaldocs.org/api/head/function/upload_file_download

You'll need to remove the "view uploaded files" permission for visitors, too.

--
Drupal services
My Drupal services

--
Drupal services
My Drupal services

pamphile’s picture

pamphile commented

That was turned off too.

I beleive that Drupal can't restrict ALL data when anonymous access is tured off. At least I have never seen it happen.

I tried the several combinations: anonymous user has no rights..., og module, and private downloads and everthing mentioned in this thread. Yet, images and files are still downloadable. The anonymous user has no rights...

To everyone, this isn't a complaint, just an observation of something we need to fix.

I'll look at the code.

http://01webmasters.com

leblank@cyberocity.com’s picture

leblank@cyberocity.com commented

... turned on - that's normal. Don't know if you want to turn that off, but I can think of a way to stop all dnloads from outside your site in the .htaccess file if you have rewrite access. I call it leech protect ... won't allow anyone outside my domain to get files. If that's what you need I'll read up on it somemore and find out how again - been a while :)
---------------
LeBlank

pamphile’s picture

pamphile commented

I thought is .htaccess but I would have to place the username and password inside a file. Can't do that.

But i have a similar function - see the following post below about http://01debug.com/auth.txt

killes@www.drop.org’s picture

killes@www.drop.org commented

That is really strange. Where is your files directory located? For private downloads it should be outside of the apache accessible part of your directories.
--
Drupal services
My Drupal services

--
Drupal services
My Drupal services

pamphile’s picture

pamphile commented

All files are here --> /files

The default location for all files.

On a positive note, I got my own code to work by modifying common.inc.

If someone is logged in, and has access to files, then they can access the image or files. It uses the drupal function --> user_access('view uploaded files').

Unfortunately I don't know how to code Drupal modules yet, but I am willing to turn this into a module is anyone wants to help :)

How to use the function:

Added the code at http://01debug.com/auth.txt at the end of common.inc.
before this code !!!!!

// Initialize the localization system.
$locale = locale_initialize();

// Initialize the enabled theme.
$theme = init_theme();

Then call the httpauthuser funtion
httpauthuser($_SERVER[PHP_AUTH_USER], $_SERVER[PHP_AUTH_PW]);

From now on, you can only access your pages, private files and private images after you login.

Again, if anyone is interested, I can take the time to turn this into a working module.

Marcel
http://01debug.com
http://01freelance.com

killes@www.drop.org’s picture

killes@www.drop.org commented

Well, you didn't follow the instructions.
For private downloads to work, your files should not be in a web accessible folder.
--
Drupal services
My Drupal services

--
Drupal services
My Drupal services

pamphile’s picture

pamphile commented

You right the files were publicly available, even though they were private.

So I made sure they are private - but got the same result.

This is the configuration I am using:
File system path: Private - files are transferred by Drupal.

Files are not publicly visible. They are here:
C:\AppServ\carisurv_drupal\files

Webserver root is here
C:\AppServ\www\intranet\

The anonymous user has No rights or permissions. Yet anonymous users can still access files and images at
http://example.com/intranet/system/files?file=myreg.reg

I am using the last Drupal 4.5x. I wonder if this happens in 4.6.

Has anyone ever gotten files, content, and images locked down on 4.5x ? Please raise your hand... thanks

Marcel

leblank@cyberocity.com’s picture

leblank@cyberocity.com commented

... may be storing the files from another time you looked at them. Clear yor browser cache and see if they are still shown. Just an idea...
---------------
LeBlank

pamphile’s picture

pamphile commented

Good suggestion. But that did not work.

No one has spoken up yet to say they succeeded at totally locking down Drupal content+images+files . I guess there is a bug in the download function.

I cleared the browser cache and tried accessing the images and files from multiple machines - same result.

pamphile’s picture

pamphile commented

Instead of using the http://01debug.com code, you can also use this:

What this code does
If the user is trying to access private files and images, check if they also have access rights to the images/files. If the user does not have access rights, send then to the drupal login page.

user_access('view uploaded files') is a drupal function that will make sure the user has access rights to uploaded files.

if ($_GET[file] != "" AND  !user_access('view uploaded files'))
    {
        header ("Location:  http://example.com/user/login"); 
    }

Place it in common.inc. right before

// Initialize the localization system.
$locale = locale_initialize();

// Initialize the enabled theme.
$theme = init_theme();

Debug my code - collaborative debugging

pamphile’s picture

pamphile commented

Good news, securesite.module in 4.6 solves all the problems I was talking about... :) !!

No need to use the code I posted above...

http://01debug.com