By superjacent on

Ok, I'm in the process of setting up my second site. I'm confused by the File System configuration where you either select public or private.

Upon uploading files via the attachment method and then clicking on those files to download them, my normal download manager kicks in and downloads. According to the public method, you can access the files via http directly, so I purposely pointed my web browser to the file to be downloaded and the file downloaded, whether I had public or private selected.

What is the point of either public or private?

Any advice appreciated.

Categories: Drupal 5.x, Drupal 6.x

Comments

criznach’s picture

criznach commented

If you use private you can restrict downloads to authenticated users, certain roles, or a variety of other scenarios. Public is just that - public.

http://www.trailheadinteractive.com

superjacent’s picture

superjacent commented

If using the private method, what other settings should be set to enforce this.

It appears to me, regardless of whether it's public or private, I can still point my web browser at the file and download it.

I've been using Drupal for a while now but up until now my site was just personal and I was the only one entering stuff. My next site will be accounting for numerous contributors and most likely attached files (code samples) that could be downloaded.

Any advice appreciated.

___________________________

Steven Taylor
Melbourne, Australia.
http://superjacent.net/cms

vm’s picture

vm commented

for a truly private file system the files folder should be located above the public root so that they aren't accessible from the public root

superjacent’s picture

superjacent commented

I've just fiddled with those settings, creating an 'outside of web root' folder for files. I get the point the now. This could be one strategy in which guests are forced to register in order to download files. That's problem one solved, problem two will be keeping them.

___________________________

Steven Taylor
Melbourne, Australia.
http://superjacent.net/cms

Designer Dude’s picture

Designer Dude commented

Hi Steven,

How did you do that?

I have a site with music previews using the audio.module. Even though I set the file system to 'private' an anonymous user can guess the link to the mp3 and download it.

Can you explain how you 'fiddled with the settings'? I think that might solve the problem with people guessing the links.

superjacent’s picture

superjacent commented

You need to create a directory/folder which is outside your web root. That means nobody can navigate to that folder with a browser.

This setup is inside your web root (and possibly accessible by a browser)

public_html/mysite.com/files (a browser might/could gain access)

This setup is outside your web root

public_html/files.

Obviously, you still need to tell Drupal where the files folder resides. Drupal will then take care of the downloads.

Hope this helps.

___________________________
Steven Taylor
Melbourne, Australia.
http://superjacent.net/cms

Designer Dude’s picture

Designer Dude commented

thanks for that Steven.

Quick question, if I put the "files" folder outside the /public_html/ folder, is that even better, or will drupal be able to find it.

e.g. Let's say my server account home directory is:

/home/designerdude/

and my domains are under: /home/designerdude/public_html/

If I setup my "files" folder here: /home/designerdude/files

Will that be safer?

superjacent’s picture

superjacent commented

Safer is not the right terminology, your files folder is either within your web root (not safe) or it isn't (safe). I doubt that it matters to which out of web root folder you place it in, it will still be safe, not safer.

If you at least place it in a parallel folder to your web root (designerdude.com), browsers can not navigate to it. By all means you can place it folders above your web root.

___________________________

Steven Taylor
Melbourne, Australia.
http://superjacent.net/cms

pedroqalm’s picture

pedroqalm commented

I have setup my files folder outside the public_html.

/home/myaccount/files

Just for comparison drupal is on:

/home/myaccount/public_html/drupalsite/

Now everytime I upload a file to a node, it is referenced as http://drupalsite.com/system/files/file.jpg. Is this what should happen? The url isn't hidden or encrypted.

vm’s picture

vm commented

yep that is how it works at this time. However, logged in users are the only users who would have access to those files. WHich is where the "private" comes into play.

pedroqalm’s picture

pedroqalm commented

Anonymous can also have access to uploaded files. For example, I've created a CCK Filefield and then enable this field permission for anonymous users and now those users can have access to the files (only those specific files, other CCK filefield and regular attachments are still hidden).

Now what I would like to know is how to create specific permissions that work like the above but for a specific node. Example: a user buy and pay for a product using ubercart, then a PHP check is made to check if the user order is completed and the user can see the specific filefield, meaning he now has permission, otherwise nobody else can access the files.

Any help on this?

vm’s picture

vm commented

If you are allowing anonymous users to access the files I'm not sure who you are trying to keep the files from. Non purchasers ? if so, you may want to ask in the ubercart.org support forums. I believe there is an module in or for ubercart to handle delivery of files.

Cores file system won't handle that type of task directly. Though in Drupal 7.x there will be the ability to use a private & a public file system. Though I'd figure that the idea won't change much with reference to how these are handled with permissions. ie: if anon is allowed to access the files then ultimately the link can be sent around and everyone will have access.

pedroqalm’s picture

pedroqalm commented

I was just using an example, in fact anonymous don't have access to filefield.

The thing is Ubercart only allows file download, I want to allow online access online only.

Thanks a lot for the anwsers, you have been helpful. :)

beckyjohnson’s picture

beckyjohnson commented

So, I have shared hosting. My directory looks like this:

  • logs
  • mail
  • myurl.com
    • my drupal files
    • sites folder et. al

I tried putting a folder outside of my web root directory like so:

logs
mail
myurl.com

I copied my path using Transmit, my FTP program and got:

ftp://myurl.com:21//files

I tried putting this in to my file path area and got a warning error so I tried just adding //files and got an error as well.
What should I be doing here?

Also, currently the temp file is set to /temp. Does that need to change too?

Thanks!
Becky

vm’s picture

vm commented

the path has to be relaive to your account on the server not absolute. /home/username/some/such/path

if you can't figure out the relative path of your hosting account, your host should be asked what it is.

bwv’s picture

bwv commented

I tried an experiment along precisely these lines:

1. My absolute path is formulated thusly:

/homepages/99/477y775/htdocs/

2. I created a folder that resides here:

/homepages/99/477y775/htdocs/all_private_content

3. I set up a drupal site here:

/homepages/99/477y775/htdocs/drupalsite/123

4. But I set my public file system for the drupalsite/123 here:

/homepages/99/477y775/htdocs/all_private_content

I uploaded an mp3 and it is utterly impossible (at least as far as I can tell) to tell via view source where the file is. Here is the relevant data excerpted from view source:

<div class="content">
<ul class="menu">
<li class="collapsed"><a href="/123/?q=audio">Audio</a></li>
<li class="leaf"><a href="/123/?q=tracker">Recent posts</a></li>

</ul>
</div>
</div>
 <div id="node-1" class="node">
<h2><a href="/123/?q=node/1" title="Sample MP3">MP3</a></h2>
<span class="submitted">Fri, 05/09/2008 - 13:18 — admin</span>
<div class="content">
    <object type="application/x-shockwave-flash" data="/123/sites/all/modules/audio/players/1pixelout.swf" width="290" height="24" >
  <param name="movie" value="/123/sites/all/modules/audio/players/1pixelout.swf" />
  <param name="wmode" value="transparent" />
  <param name="menu" value="false" />
  <param name="quality" value="high" />
  <param name="FlashVars" value="soundFile=http%3A%2F%2Fwww.drupalsite.com%2F123%2F%3Fq%3Daudio%2Fplay%2F1" />
  <embed src="/123/sites/all/modules/audio/players/1pixelout.swf" flashvars="soundFile=http%3A%2F%2Fwww.drupalsite.com%2F123%2F%3Fq%3Daudio%2Fplay%2F1" width="290" height="24" />
</object><br />1:11 minutes (297.98 KB)<p>test</p>

  </div>

----------------------------------------------------------------------
http://www.bwv810.com/

I am a writer and researcher. In my spare time I build websites with Drupal.
Je peux communiquer en français. / Я могу общаться на русском языке.

vm’s picture

vm commented

viewing the source isn't the problem. The path shows when you hover over the link or in browser bar after the link is clicked.

Also note that when the files folder is stored above the public root the files are inaccessible to the mass public and as such can only be served by drupal.

ie:

/htdocs/drupal -> drupal installed here
/files/htdocs/drupal -> folder folder located one level up

snsace’s picture

snsace commented

Along this subject, I have files that I want to restrict to a certain user role, and some files will be allowable for all other
authenticated users. What is the best way to accomplish this?

vm’s picture

vm commented

investigate the use of cck and the filefield.module to create specififc content types for each type of upload and only allow certain roles access to each content type.

snsace’s picture

snsace commented

I installed cck and enabled all the cck features. When I tried to install the FileField module, I got a white screen with a database
error. This disabled my site. I restored from a backup. Not sure what happened. The message was around line 171 of filefield
expecting an ")" where there was an "=".

I'm back to where I started.

With my other site which was phpNuke, I just put all our files in a separate folder and linked to them with an .htaccess password
required. However, in drupal I can't seem to link to folders outside my drupal installation without getting a "page not found" message.

vm’s picture

vm commented

How to stop Drupal taking over my subdirectories

nico059’s picture

nico059 commented

Hi Steven,

I use a mix of public AND private on a Drupal site. See http://drupal.org/node/189239
The idea is to set Drupal in public mode for color chooser, css agregation etc .... and create a private folder where I can control access by Drupal role. I "protect" this private folder by a .htacces (mod_rewrite).
When the browser want to download a file in this private folder, for exemple:
[root]/files/MY_PRIVATE_FOLDER/fileA.xyz,
the mod_rewrite redirecte the brwser to
[root]/system/files//MY_PRIVATE_FOLDER/fileA.xyz

Then the access role in drupal can be used.
Regards,

superjacent’s picture

superjacent commented

Very interesting and I follow the concept.

Lets say I create two sub-folders off the files directory one named private and the the other public. I'm confused in that the upload module doesn't allow the user to select a particular directory or sub-directory to where the files will be stored. Is there another way to do this?

___________________________

Steven Taylor
Melbourne, Australia.
http://superjacent.net/cms

vm’s picture

vm commented

No. you can have one or the other not both.

starbow’s picture

starbow commented

You might want to check out the private_upload module (http://drupal.org/project/private_upload)

superjacent’s picture

superjacent commented

I'll have to wait for the Drupal 6 version.

___________________________

Steven Taylor
Melbourne, Australia.
http://superjacent.net/cms

chrisschaub’s picture

chrisschaub commented

The only really secure solution I can think of is a custom flash player which reads an encrypted stream that only it knows how to decode. That encrypted stream would contain the file path.