IMHO, you have to put the file directory outside of webroothierarchy (e.g. ../drupalfiles/ or absolute path outside webroot) to be sure that files cannot directly accessed by everybody by url.
That avoids skipping drupal configured access rules (e.g. for nodes, by roles etc.) by anon users or users without the right for accessing some or all images.

Under administration ( admin/settings/file-system ) you then set that file directory to private and files are now delivered by drupal (hopefully) respecting the access rules.

When this private option is active it generates urls in Drupal like
/system/files/images/bg-bar.png
while /../drupalfiles/images/bg-bar.png (what img_assist generates to preview images in the image browser) is wrong.

Comments

peterdd’s picture

peterdd commented

I found a note on CVS that it is fixed and todays dev release seems to work with private file dir.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Active » Closed (fixed)