Hi,

When a user uploads a file when creating a file product, it is first moved to the Drupal file directory. After the form submission, it then moved to a "private" directory for security reasons. But before the user actually submit the form, it is publicly available, no? If yes, I there a simple way to force uploading the file in the private final directory directly?

Best regards.
K.

Comments

Turgrid’s picture

Turgrid commented

It is temporarily available publicly, but per the recommendation (hopefully noted somewhere in docs), if you make the filefield upload directory some very long randomly named subdirectory of /files, you get relatively good security (because no one will be able to guess the subdirectory name).

syndicateStorm’s picture

syndicateStorm commented
Status: Active » Closed (works as designed)

See Turgrid's post. This is basically how Ubercart does it. If you can think of a better way, post the idea as a feature request, and I will be happy to add it to the code.