Controlling unauthenticated file access with .htaccess or something else?

The .htaccess file affects the contents of the directory in which it is located as well as all sub-directories and contents. For urls using the 'webfm_send' path the file must have 'public' access in its permissions to be viewable my anonymous users (unless it was attached to a viewable node which makes it public). If no .htaccess file is present then users will be able to download files using the file path and bypass the security of the module.

Typically the content of my .htaccess file looks like this:

Thanks for the reply. Based on what you provided, am I wrongly assuming that the .htaccess file is an additional user name / pw authentication step after a user logs into the site with their drupal-based user name? If so, is there a way to have an .htaccess file verify if a user is logged into my site (using a Drupal-managed login) or does it need to be a login based on an .htaccess validation?

I will provide some more background on what I am attempting in case there is a better way of thinking about this:
- I have a project management site, everyone must login and has an assigned role based on their project. Role-based security is very important.
- WebFM does an excellent job serving as our project document file manager.
- Some files, I want users to be able to launch outside of WebFM by following a file path, but still keep the file stored in my webFM directories as our project archive.
- E.G. Google Earth KMLs launch really nicely from a direct path URL on a node, rather than as WebFM attachments. A function that our users love. Unfortunately, by providing the direct path, we are abandoning the security provided by the module.
- Ideally, we simply want a validation step that confirms authenticated users before the KML launches.
- Possibly? Alternatives? Store the files elsewhere? Open to ideas and suggestions.

Again, many thanks. Love the module.
rb

.htaccess is used to prevent navigation to a url. If you put it in webroot you will be asked to provide a password to access the site (something I've done for customer sites that had to stay private until officially 'live') via a generic login dialog. In the case of WebFM, it will prevent anonymous downloading of files if placed in the webfm root directory (again via a non-drupal, generic dialog). It is a manual step that the site creator must take care of. There are plenty of help resources on the web how to do it as well as online utilities to generate the .htpasswd.

You could feasibly put a specific .htaccess to a particular webfm directory and provide the password to users to allow direct file access without using the module streaming (webfm_send). This directory wouldn't have a .htaccess file above it unless you wanted two password authentications - I've never tried that so not sure if it would work that way. I don't know of any way of using file paths with WebFM security except via funky .htaccess redirects or mod-rewrite. I don't have time to research this.

Thanks for the comments. In the end, the .htaccess file has proved to be effective in combination with changing how webfm handles attachments (open in same window). This allows me to stream or open the kmls straight straight into Google Earth while letting webfm / drupal manage manage security.

Also, I had no idea about the module streaming (webfm_send). Seems to support exactly what I am looking for.

Thanks for the assistance.

Yeah thats super luckyday13,
I have the exact same problem (made similar post over here http://drupal.org/node/415332), are you willing to describe how exactly you solved this problem? In my opinion it would be very useful to get this into webfm.

Sorry for the delay replying, but things have been busy. I have tried to provide an explanation of what my needs are and what I have done. Not sure how helpful it will be, but I am happy to try to help. I offer the caution that I am still relatively new to Drupal (just over a year now...wow, time flies). Let me know if you have any questions.

To be perfectly honest, I just started using some of the functionality already built into webfm. Basically my content requires me to restrict access based on roles (project roles = some users have access to only one project, others to multiple projects, while others are guests with very limited access). Using Drupal for for what it does best, I have defined some categories and roles, further managed by the TAC module to restrict or manage access to content. Webfm by design works with the Roles I have set-up, so it all meshes together and users can only access the webfm root directories based on their role(s) as defined under the webfm configuration. I am not sure if you are looking to restrict access based on individual user rights as opposed to roles, but I have not had to look restricting access based on users into this.

With respect to the line of posts I have made here, my problem was with directory leaching or unauthenticated file access. I have had mixed luck with the .htaccess in the end. While I tried using the .htaccess provided by Rob (post #1 – much appreciated), I was unable to make that work without a second login/password prompt (if there is a way, please correct me, again, I am relatively new to this). Unfortunately, my users would have a low tolerance for that, so I experimented further with the simpler .htaccess file:

order allow,deny
deny from all

Once I began using links that were based on ‘webfm_send’ rather than absolute file paths (a bad idea anyway) and I changed the webfm configuration to allow links to open in the same window, my KML files could either be opened or saved by authenticated users. Better still, neither the webfm_send based URLs or absolute path URLs could be opened/saved by unauthenticated users, which was exactly the function I was looking for. Unfortunately, a strange behaviour has started recently and I am at a loss to explain. A user can login now, navigate to a node with a webfm attachment and as soon as they click on the file, they are prompted with the Drupal login again and denied access. Once they enter their account information for a second time, everything is fine. I have tried experimenting with the placement of my .htaccess file, but have had no improvement. For now, I have had to remove my .htaccess file, but something I need to address sooner than later. I can’t think of any other changes that have happened to the site outside of some module updates that may have caused this change. If I figure anything out, I will post it here.

Rob

Hi Rob,

I haven't seen the double login but is sounds like there might be an issue with the '$cookie_domain' in settings.php or the top level .htaccess (www and non-www site names).

-rob

I posted my response more appropriately here: http://drupal.org/node/153108#comment-1710570

It appears that users can work around the .htaccess restrictions by using "system/file/webfm/..." as opposed to "file/webfm/..."

I hope I'm wrong about this.

Maybe some of you can test this different approach: #437196: WebFM Folder Access rules based upon IP Ranges