Using .htaccess to restrict access on private site
| Project: | Web File Manager |
| Version: | 6.x-2.10-rc4 |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Anonymous users can access files uploaded to my webfm directory, which I do not want.
My file system is set to private. anonyous users have no access to any webfm permissions.
I put this .htaccess file on my root webfm directory (from http://drupal.org/node/372322):
order allow,deny
deny from all
Anonymous users get "forbidden" message when they try to go to:
files/webfm/thefile.txt
However, they have no restriction when they go to:
system/files/webfm/thefile.txt
I don't have any of the "Default File Permission" blocks checked in Webfm settings, which I assume means no one can access the file except owner or administrator.
Please tell me what I've missed here in order to not allow anyone to access files uploaded to webfm directory unless those files are attached to some node?
#1
I came up with a solution based this post: http://drupal.org/node/442142
I'm marking this as fixed because I've added this code to my own custom module and it works; however, I do believe something like this should be added to webfm manager to make it more secure. Even if I had taken the webfm directory out of the web root directory tree, the Drupal "system" would still have given access to these files as they aren't in the files table.
What I really wanted to do was not allow anyone direct url (i.e., "files/webfm/file" or "system/files/webfm/file") access to a file unless it was attached to a node and therefore had some permissions associated with it. Using .htaccess (as suggested here: http://drupal.org/node/372322) resolved the first access problem: "files/webfm/file". The second problem was that my site uses the "private" file download method, and therefore all webfm files are available to anonymous users via the "system/files/webfm/file" url because the system doesn't recognize these files (because they aren't in the files table).
I fixed this by using hook_file_download to create a file access rule for webfm files: "If the file is in the webfm directory tree and is NOT attached to a node, then you can't access it via "system/files/webfm" method." This stops anonymous access dead in it's tracks.
<?php
/**
* Implementation of hook_file_download()
*/
function scbbs_file_download($file) {
// Get true path
$file = file_create_path($file);
// Next, check webfm files
// They need to either be attached to a node OR a filenode
// $webfm = 'files/webfm';
$webfm = variable_get('webfm_root_dir', '');
if (strstr($file, $webfm)) {
// Check if file is attached to a node
$result = db_query("SELECT a.nid, f.* FROM {webfm_attach} a LEFT JOIN {webfm_file} f ON a.fid = f.fid WHERE f.fpath = '%s'", $file);
if ($file = db_fetch_object($result)) {
// Check node access
if (!(db_result(db_query(db_rewrite_sql("SELECT n.nid FROM {node} n WHERE n.nid = %d"), $file->nid)))) {
return -1;
}
} else {
// File is not attached, we don't have permissions (CHANGER ET VERIFIER AVEC LE BROWSER)
return -1;
}
}
}
?>
#2
Automatically closed -- issue fixed for 2 weeks with no activity.
#3
I've found that this problem isn't restricted to just the private file system. I set a test site to public and tried accessing files in a directory protected by the .htaccess file via the /system/files/ URL and I was able to access it anonymously.
Will your above code work for a site set to Public File System?
I'm relatively new to Drupal, so forgive me for the extra help I may need, but is the process to place the above code into a new module and then enable it?
Thanks,
Tommy
#4
It should. However, in a public file system, by defination, files in the files directory can be accessed via http:// by anonymous users UNLESS they are otherwise restricted. That's why I went to a "private" file system.
Yes. I created a custom module for my site called scbbs.module. I place the hook function described in #1 into that module.