By theresonant on

Hi all!

I just noticed something wrong when I write a link like this one:

www.mydrupalsite.org/videofiles/video1.flv

in the browser, assuming www.mydrupalsite.org is a site made with Drupal and video1.flv is a file on the server, found inside the "videofiles" folder. That is, I can see the file. I don't want this, because simply by having the file name, anyone can view the video.

Is there a way to prevent such access? Probably by enabling Drupal to parse every kind of path and give an error this kind of paths. I have a page named www.mydrupalsite.org/videos, and when a user writes "www...org/videos/video1", Drupal should check whether that user is authenticated or not.

Cheers!

Categories: Drupal 5.x

Comments

jainrutgers’s picture

jainrutgers commented

Try changing the permission of the videofiles folder

Chetan
http://www.cjain.com

cog.rusty’s picture

cog.rusty commented

Folder permissions won't work, because
- if apache can read them, will serve them.
- if apache can't read them, Drupal' can't show them to anyone

Apache must be able to read them but not to serve them directly.

jainrutgers’s picture

jainrutgers commented

hey thanks ...i was having that doubt thats why i wrote 'Try'.

Chetan
http://www.cjain.com

cog.rusty’s picture

cog.rusty commented

You can choose the "Private downloads" method in admin/settings/file-system, and
- either set your files path to a directory outside your web root so that they don't have an URL
- or leave them where they are and protect them with some .htaccess directive (Order deny,allow and deny from all).

Apache won't serve them directly, and Drupal will read them and serve them with a virtual path system/files.

Then you can set permissions for the files by using an access control module (content_access or nodeaccess or node_privacy_byrole or og) and restricting access to the posts where they were uploaded, so that only some user roles can see them.

Caveats:
- Your file-related modules must support the private download method
- The private method is a bit slower because of the additional processing.
- If you already have uploaded files their links may break if you change the download method now.