HOWTO deny access to uploaded files?
Fluffy Convict - June 22, 2008 - 16:32
If I let Drupal handle uploaded files, and disallow anonymous users to download uploaded files, this works only partially:
* surfing to mysite.com/system/files/image.gif returns an "access denied" message as expected
* surfing to the actual path of the file (mysite.com/sites/default/files/image.gif) returns the image to the client
How do I deny anonymous users to download files from the actual directory on the server as described?
correct me if i am wrong you
correct me if i am wrong
you can set permissions for anonymous and other roles at permissions page which should be under users menu under administrator panel
cheers
Take them out of your Web root
Take them out of your Web root. It is the only sure way:
/home/user/public_html (your Web document root, and possibly your Drupal site)
/home/user/files (your private files)
Now the files are off the Web, and a browser can't get them directly from the Web server, bypassing Drupal. Only Drupal can serve them, as "system/files/filename".
In this example, the files setting in admin/settings/file-system should be
/home/user/files, and of course "private". In case you have files already, some database editing may be needed if you change that path.will .htaccess do the trick?
I've been thinking about moving the files folder to outside the webroot, too. But in order not to break Drupal's structure, isn't there any other way to:
* store the files in sites//files/
* and disallow direct surfing to files within this folder
by creating a .htaccess with proper directives in sites//files/ or the drupal .htaccess file?
Referrer setting in .htaccess?
I recall reading somewhere about setting a referrer allowed only to the site name so in order to get to a particular file you have to go through a link from the website itself. Can somebody knowledgeable of Apache directives enlight us if this works and how exactly to set it up?
=-=
http://tips-scripts.com/leech
_____________________________________________________________________
My posts & comments are usually dripping with sarcasm.
If you ask nicely I'll give you a towel : )
Checking the referrer in
Checking the referrer in .htaccess is an attempt to protect the files from being linked from other sites (link stealing), which is different. Something like
RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC]RewriteCond %{HTTP_REFERER} !^http://*.example.com/.*$ [NC]
RewriteRule .*$ - [F]
This is supposed to deny the file to whoever did not directly click the link on your site, but visitors to your site can still view the file, so it is not what is needed here.
Anyway, even the link stealing protection which that provides is imperfect, because the referrer can be easily spoofed or just not reported, and by denying an empty referrer you deny all users of some browsers.
What method would you suggest?
Thanks to Very Misunderstood and Cog.Rusty for pointing out the inadequacy of the .htaccess referrer method.
Is there a method you would suggest for protecting the files in the /files directory?
Hmm... I just went to try
Hmm... I just went to try something with Drupal 6 and found that the uploaded private file (still in a Web-accessible directory) is automatically set to permissions 600. At least in my shared host (which uses suexec) this seems enough to protect the original file path even from me.