Private uploads are not private
| Project: | Private Upload |
| Version: | 6.x-1.0-rc2 |
| Component: | Code |
| Category: | support request |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Hello,
Installed the module, Private Upload Status is as follows:
* Public File Folder: 'sites/all/files'
* Private File Folder: 'sites/all/files/private'
* sites/all/files/private exists and is writable. Great.
* You have an .htaccess file in private folder. Great.
* Your private folder is not accessable. Great!
* File download method is set to public. Great.
* There are no old-style private files hanging around. Great.
* There are '47' files in the private folder, and the DB thinks there are '48' private files.
* There are no public files attached to private nodes. Great.
* Uploaded files in db: '48' files attached to '48' nodes.
Everything looks ok there, but when I log out and then try to access a private file directly by typing in it's URL, it works and the file is downloaded!
Any ideas on where I've gone wrong?
Thanks,
Marc
#1
if it is a publicly accessable site, can you use my contact form to send me the url of the file.
thanks,
-t
#2
Hi,
Just sent you a sample URL via your website contact form, let me know if you need more info,
Cheers,
M
#3
Hi Marc,
The most important rule of private upload is that the files are only as private as the nodes they are attached to. If an anonymous user can see a node, and anonymous user have the view attachments permission, the files attached to that node are effectively public, even if they are set to private.
#4
Hi Tao,
Thanks for clarifying.
The functionality I was after was that anonymous users would see the node - effectively a gateway page giving them an introduction to what was contained in the attached file. Then they must register/login to download the file.
I had investigated using Drupal's built-in secure uploads feature, but there are some attachments which I would like to make available to anonymous users, and I believe the built-in approach is "all or nothing" - either anonymous users can download all attachments, or no attachments.
Could you advise on how best I can achieve the functionality I'm looking for? Would I have to create an additional layer of nodes which are only accessible by registered users and then hang the attachments from there?
Many thanks for your help,
M
#5
The modules I use to achieve this type of private and public functionality are Nodeaccess and Private Upload
#6
+1; //subscribing here as well, and as long as I'm here: would it be difficult to patch private uploads to have an option where the parent node could be available to anon, but not the attached file(s)? Thanks.
#7
why to create a folder inside the public files folder? why not to specify an unreachable from the web folder ?
#8
@hedac - this module relies on Drupal's built in private file management, which prevents access to any files outside of the current files directory.
#9