By rgraves on
Hi,
I have a bunch of files in my /files directory. They have not been attached to nodes. They are files that were either imported using 'Import HTML' or uploaded using TinyMCE's filemanager plugin. I have two problems:
1. I want all the files within /files to be restricted to only authenticated users.
2. I want certain directories within /files (e.g. /files/restricted) to be restricted to certain roles.
Right now, if someone knows the URL, they can access the file without being logged into Drupal at all.
Any ideas?
Rob
Comments
Restricting File Viewing
I am also interested in finding out if there is already existing code/module for such functionality.
File sharing between site users is often a requested functionality.
Anyone?
Does anyone have a solution for this? .htaccess is the only way I can think of to prevent access to /files. Can .htaccess be linked with Drupal's authentication somehow, like with a cookie?
Or is there another way to get around this problem?
I'm also very interested in
I'm also very interested in an answer to this, it is such an obvious thing and would be very disappointing if there is currently no way to achieve it.
Design fault
I dare to say it's a design flaw. If you move the files directory to somewhere else it breaks many modules, plus, it's hard to make subdirs under files/ after you have lots of stuff there.
to control access to files/ directory, and to make new subdirs under it, are so basic for a CMS system. without making them applicable, i saw no meaning to rush for drupal6.x 7.x etc.
i wish i know how to fix that....
...
Switch to "Private" filesystem.
A file can be downloaded, when in "Private" filesystem, only when some module declares that it "knows about" it. If it's not the case already, configure IMCE to have a "/" folder, or shared folder, somewhere so that it "knows about" all your files.
You can probably do that with path_access. But It might not be straightforward.
BTW1, you should file a feature request against IMCE. It shouldn't be hard to restrict download access by role.
BTW2, there exists the 'fileshare' module, which allows you to associate a folder with a node. When in "Private" filesystem, only users having view access to the node can download the files within the folder. But this solution isn't compatible with what you already have.
Any Solution?
I am face with the same problem, someone said to make the files directory private, however when that is set my image module doesn't work, I'll be very... very happy to have a solution...if there is any!!!
thanks
Me too
I'd like to make a 'restricted' folder inside 'files' containing files that can only be accessed if logged in.
How hard would it be to write a bit of PHP that checks your drupal login (and a specific role if need be) and redirects you to the login page if you're not? I don't know the drupal specifics but the rest is easy - if you are logged in, the PHP script can set the header then fread the file in large chunks and spit it out. This means you can disallow direct access to files/restricted with .htaccess. The 'restricted file' module would handle any urls starting with ../files/restricted - which just happens to match the real folder structure.