Password protect attachments in Organic Groups module?
Hi all,
I am using the organic groups module on two of my Drupal websites. It was my intention to define a 'group' in order to create a password protected online space for members of this specific group, where they can share information. Other pages (about, news, publications) should still be accessible publicly.
After installation I noticed that only the NODES that are assigned to a certain group (not public) are password protected. Their ATTACHMENTS are not. If I am not logged in, I can still access the PDFs or other files that were attached to the hidden nodes. So if I know the address of the file, I can acccess it. Is there anything I can do about this?
Till then:
I understood that as long as there are no links on one of the public nodes to the protected PDFs, they will not be indexed by Google. Is this right?
I am using Google as a search function because the Drupal search didn't index attachments. The other day I read there is a module that indexes attachments. I would love to have that module installed as well, but at this moment I am happy I didn't. If I would have, the Drupal search would have indexed also the files that I am trying to hide!
So here I am, hoping that no one will figure out the name of my attached files, that no one will accidently link to them so that they are indexed, or that someone does anything else that makes these not so well hidden files public. If there are any solutions or tips, please share them with me.
Thank your very much!
Dorine Ruter
http://www.ruter.nl/blog
* PS I know this question has been asked before, but I can't find those posts and I don't recall there was a specific answer to them that helped me. Please let me know where to look for a solution, tip or useful comment. Thanks!
Private Downloads
Are you using private downloads?
Can public files still be viewed by anonymous users?
Thanks Brian. Such a short reply to such a long question... And no, I didn't set the download method to private. (Had never noticed it). Would that do the trick? Here it says:
Some dummy questions, just to make sure I understand:
Thanks for any help here.
Dorine Ruter
http://www.ruter.nl/blog
Ok, so I tested this private
Ok, so I tested this private download on a new website and it seems to work great. Thanks!
For www.ruaf.org it will be some work. The address of the attached files changes from e.g. "files/test.doc" to "system/files?file=test.doc". For some nodes we made manual links to attachments. We'll have to change these manually...
Dorine Ruter
http://www.ruter.nl/blog
Short Answers, Etc.
Sorry for such a short answer before. Id' rather not write a novel if I could, I usually stop by the support forums before heading to work.
In any event, if you use the public method of handling downloads, the download pretty much skips Drupal, hence the shorter URI that leads directly to the file. When you use private downloads, the download is sort of "piped through" Drupal, which means things like access control, etc, all apply. That is why I suggested you look at it. I personally have never used the organic groups module, so my guess was a shot in the dark given what I know about how Drupal handles files in general.
With respect to google seeing attachments, etc, just log out of your site and surf it as an anonymous user. Whatever you can get to as an anonymous user, Google will as well.
Hope this all helps.
Indexing uploaded files by Google
Hi Brian, the short answer was perfect, because it helped me solve the whole problem! Plus, thanks for the explanation of how the download method works.
About indexing the uploaded files, Google doesn't seem to do that. There is an indexing module available that indexes all uploaded attachments, such as PDF and Word documents. I'll see if this can be installed on my site as well sometime.
In a comment on my weblog, someone wrote there is an upload_indexer.module. Though it is mentioned in some tech posts (via Google), I haven't been able to find much about this module on this Drupal website. If anyone has some more information about this for me, that would be great!
Dorine Ruter
http://www.ruter.nl/blog
Indexing Module
The indexing module indexes things for your site's built in search. Why Drupal wouldn't index a word document attachment or a PDF attachment, I would not know. I do know Google has the capability to spider these types of files as I do run across them while Googling (Google even offers the option to "View as HTML").
You also might want to look into
gsitemap.module.Also, here is
upload_indexer.module.Private files are actually public...
Hi,
Yesterday my colleague set the download settings of the RUAF website (www.ruaf.org) to private. Just this morning we discovered that files can still be accessed by anyone, using the direct link (www.ruaf.org/files/name.pdf). This happens even with attachments to nodes in a password protected Organic Group, whereas unauthorized users should have been blocked.
So actually it seems this solution still doesn't work after all when someone has the address of the attached file... I just only checked the attachment link when I tested all this and that worked perfect. However I never looked at the direct link.
Is there anyone here that uses some kind of shielded sections in Drupal (via organic groups)? Could you please let me know how you have dealt with the access protection of attachments?
Thanks in advance.
Dorine Ruter
http://www.ruter.nl/blog
Private Method
On my site, I use the private method and while a URI like http://brianpuccio.net/system/files?file=images/usm_how_much.png works, the link http://brianpuccio.net/files/images/usm_how_much.png (where the file is actually on the file system) gives me a 403, as it should.
Just tried that
Thanks for the quick reply, Brian. What you wrote, I tried just this morning but I never got an error. I immediately got the file... Do you think there is a setting on my server somewhere that I should change?
(I don't even have a clue on where to begin to search for a solution, so all your help would be great.)
Dorine Ruter
http://www.ruter.nl/blog
In case your still stuck
In case your still stuck check out drubeedo's response to http://drupal.org/node/62614.
Basically, make sure your files directory is not in public_html if you want to prevent direct linkage in private mode.
Hi, Brian! Really your files
Hi, Brian!
Really your files are public. For example, I have no account on your site but if I click on the first URL: http://brianpuccio.net/system/files?file=images/usm_how_much.png I can see an image well.