Protected files (role-based access)

No, not right now. That is something the community will have to contribute.

I might be interested in developing this part. But I need some help from your part. I have tried the module. When I check the source code of the page in my browser I see all files show an address pointing to the CDN, not pointing to drupal. It means, anyone can get this url and obtain the file. As I see, there are two options:

first- for protected files (those in /system instead of /files in the URL) hide the CDN URL. The address shown should be the drupal one but by means of some rewriting mechanism it should be redirected to the CDN.

second- for CDN that support security, let's say token, show openly the CDN address, but generate a token to generate a one time URL

I might be wrong in the approach. Could you wim comment on these ideas and give us some suggestion as to which functions should we modify in your code?

Thanks

first- for protected files (those in /system instead of /files in the URL) hide the CDN URL. The address shown should be the drupal one but by means of some rewriting mechanism it should be redirected to the CDN.

Then you lose one of the largest advantages of CDNs: lower latency.

second- for CDN that support security, let's say token, show openly the CDN address, but generate a token to generate a one time URL

This is more like it.

Let me explain why I didn't implement this right away. The reason is simple: there is no standard. First, only *some* of the CDNs support private files/access rules/whatever you call it. Second, the CDNs that do support this each have their own API/mechanism/convention for supporting it.

Assuming you're using advanced mode (i.e. you're using File Conveyor), you should be able to extend existing transporters to add more settings to make this possible. If your'e using basic mode, this is likely impossible.

But exactly because there is no standard, the first question are: what CDN are you using and what API/mechanism/convention do they support?

Yes, latency would be harmed with URL rewriting mechanism. Although this method would work for any CDN even for those that don't support data protection. And as we are talking about protected data, it would happen only for the small amount of protected data, as we know that most contents in a website are public and those can be offered the standard way.

About token authentication/referrer check and so on, it's a fact that every CDN has it's API. I am yet in the process of choosing one, checking costs and so on. Thus I can't yet tell which mechanism are they using.

This aspect of CDN is one that should be addressed like many others over the internet: standardization.

Hm, you've got a valid point there. Latency is less important for private file downloads. However, there is one issue with a URL rewriting approach: the user could figure out the unprotected URL of the file on the CDN and share it with others. If others then access the file directly via that URL, there is no protection any more. I.e. security through obscurity.
The question if that's sufficient for you? The nice thing about the URL rewriting approach is that it can work for any CDN, of course.

I think security through obscurity is an option that could be offered with the adequate warning that it's a very low low level of security. But it would suffice for many. I am sure in some span of time all CDN will support secure transmission, like token and referrer check, but in the meanwhile this could be an option for a lot of people.