This is a note for an item to add to the documentation.

One of the requirements of File Framework is the Bitcache module. Apparently by design, after installing the Bitcache module it removes the ability for the administrator to configure the Admin -> Site Configuration - Filesystem 'download method' and change it from public to private. Prior to installing the Bitcache module and Fileframework, make sure to properly configure your download method to whichever method is desired. Otherwise you may progress down the road of installing fileframework and have to re-do it. Changing the download method after you have started is difficult.

Thanks!

Comments

justin.hopkins’s picture

Is this the reason that bitstreams and their derivatives are downloadable via their download link despite the node itself being inaccessible? As in http://mysite.com/file/123 = 'Access denied', but below the access denied you can still see the derivitives and their download links... http://mysite.com/file/123/download/456 = 'Access granted, here's your file'...

I was actually perusing the issue cue to open a new bug report about this... But it seems like I've already mentioned it. Do you remember talking about this with me in D.C. Miglius?

miglius’s picture

File Framework used to hide the Admin -> Site Configuration - Filesystem 'download method' setting, but I put it back. Anyway, this setting should be configured before installing the File Framework as it shows where the bitcache repository will be created.

So, for a sensitive files you should set this setting to the private and change file system path to be outside of the webserver's documents.

johanneshahn’s picture

Status: Active » Closed (works as designed)

Jno activity

jvieille’s picture

Status: Closed (works as designed) » Active

I wish to change the file system from "Public" to "Private" mode.
If I change this and put an .htaccess twith "Deny from all" in the Bitcache directory, Files just become inaccessible (the noe is, but the bitstream not).
How can I change this setting on an existing install?

Thanks for help

johanneshahn’s picture

hi jvieille,
i think the best way to make file/bitcache data private is to
move your "files" folder outside of servers document root.
then u do not need a .htaccess file.

example:

current (document root: "/var/www/vhosts/mydom.ain/htdocs/"):
/var/www/vhosts/mydom.ain/htdocs/sites/default/files

to
/var/www/vhsots/mydom.ain/files

beware of safe_mode and open basedir in your php.ini
if u can not move the files folder u have to write "Order deny,allow"
into you htaccess file. But check direct accessing files via browser again!

jvieille’s picture

Status: Active » Closed (fixed)

Thanks Johannes.
This is enough to work on, I'll comment more if needed after investigation (keeping the issue list lean and clean)