By sigol on
Hi,
I hope you can help. I would like to convert my existing 5.x site from a Public file system to Private one. I need to know what the issues are and how to physically go about this process.
I already have several hundred images, files and nodes. I appreciate it may be a big job, but it needs doing.
Can somebody please point me in the right direction?
Best wishes,
Sigol.
Comments
Fairly easy for the most part
If the paths don't change, you only need to change the public vs private setting.
Of course if that is all you do, you aren't really getting any benefit from changing to private.
You will need to also either move the files directory outside your web accessible directories, or configure your web server to deny access to the files directory.
To move the directory, you change the files path setting and you'll also need to change all the paths in the files table with a custom SQL query. I'd recommend practicing on a test copy first.
--
Anton
New to Drupal? | Troubleshooting FAQ
Example knowledge base built with Drupal
Thanks for your help, Anton.
Thanks for your help, Anton.
I do need to change the file path outside the html directory. So, as I understand this:
0. Try this on a test installation first.
1. Change the settings from Public to Private.
2. FTP down all the files and then back up to the new location (outside the html path).
3. Using phpMySqlAdmin, execute a query in the files table to change the path of all files as appropriate.
4. Delete the files from the old folder
Am I missing any steps?
Thanks very much for your help.
best wishes,
Simon.
You missed one
You also need to change the path to the files directory - eg from "files" (inside webroot) to something like "../files" (in the parent directory of the webroot).
If you can't get that working, a simpler solution than changing paths, moving the files and updating all the records in the files table, could be to just configure the webserver (eg in an .htaccess file) to deny all access to the existing files directory and change from public to private.
But be sure to test it either way.
--
Anton
New to Drupal? | Troubleshooting FAQ
Example knowledge base built with Drupal
public access
That's a much much simpler solution! So that means that the files directory will be accessible from the drupal installation itself but not the web in general? How does drupal get past the deny all directive? and if that works why isn't this the better solution? It's less secure? or puts more load on the server?
Finally what if you want both public and private attached files? It would be best if the permissions tracked over from the content_access module but perhaps this is asking too much...
Thanks.
C.J.
files and stuff
The same way it reads files outside your web root. PHP (ie Drupal) is reading the files locally off the file system - Apache isn't serving them up via HTTP. So any Apache HTTP access restriction doesn't affect how Drupal can read them off the disk.
As for downsides - the only one I can see is that you are more vulnerable to a future Apache configuration mistake making the files public again. With the files outside the web root that kind of mistake is much harder to pull off, but it probably isn't a big deal overall unless your files are highly confidential.
Drupal doesn't support that yet - but there is a module floating around that supposedly does that (the name escapes me).
They do (with the upload module at least) - the user needs access to the node to be able to download any files attached to it.
eg: the file_download() function invokes hook_file_download() to give any module (incl one you write yourself) a chance to deny access. The upload module uses that hook to check the users access to the node.
http://api.drupal.org/api/function/upload_file_download/5
--
Anton
New to Drupal? | Troubleshooting FAQ
Example knowledge base built with Drupal
Cool!
Thanks. I found that module - private upload, and together makes a great combo! As long as all the permissions are maintained with a custom view that has attached files, I'll be all set (I do believe so, actually)
C.J.
Im in the same boat. Im
Im in the same boat. Im trying to decide if I should make my upload folder private or public. In general, each users content of my current project, will be accessible to the public, but I want to prevent leeching or allowing other sites to "hotlink" or "embed" my images into their pages. Whats the difference between these two options
(1) allowing the anonymous role have access to a given content type, which includes images uploaded by the content author, but having the upload folder set to private
(2) leaving the upload folder set to public, but use a Apache rewrite rule in an .htaccess file that will prevent leeching/hotlinking.
For the rewrite rule, you can use something like this in an .htaccess file within the /files folder
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?cyberciti\.biz/.*$ [NC]
RewriteRule .*\.(gif|jpe?g|png)$ http://www.cyberciti.biz/noop.jpg [R,NC,L]
Restrictions
I assume (1) lets anonymous users have access to uploaded files?
If so, then it doesn't restrict anything at all and has performance ramifications as Drupal processes the file downloads rather than Apache. You may as well just use public downloads.
If not, then anonymous users will not see the images even if they can see the node. This may or may not be what you want.
Generally the reason to use private downloads is if you want your restrictions to be based on something internal to Drupal that Apache doesn't know about (eg a users role etc, or node permissions etc). If your restrictions are HTTP related, you may as well let Apache deal with it - it's faster and you get to use CSS aggregation etc.
--
Anton
I think the last part of
I think the last part of your reply is the key - the difference is whether or not the restrictions you want on the files is based on something internal to Drupal that Apache wont know about (such as role membership etc).
So, for my purposes at least, it sounds like public access should be fine. Then I can also use rewrite rules within an htaccess file to disable hotlinking.
For people like me who are
For people like me who are contemplating switching from public to private file systems (in my case, to use the filefield_tracker module): a big problem with setting the private file system is that you lose the css/js aggregation. This means you have lots of css and js files to load into the page, which 1) is slower, and 2) may cause problems in many versions of Internet Explorer: the number of css files is limited to 32, which is easy to reach if you have a number of modules.
I'm currently investigating private_download (http://drupal.org/project/private_download) to see if it's possible to work around this limitation.