By infigaro on

Hi guys,
About the feature 'Private - files are transferred by Drupal' I set it up in my drupal site. but as the document has advise, unregistered users can't access via the URL even if they know my direct image path. However, on my drupal site, unregistered users still can access the images direct from URL.

Could someone advise how to set up this properly? I also read somewhere to put the folder into a directory no accessable by web but what do i type for the file system path for this feature?

Thanks

Categories: Drupal 4.6.x

Comments

drubeedoo’s picture

drubeedoo commented

What is referred to in the documentation as not accessible from the web is a folder outside of the web directory structure. For example, a host may have you set up as follows:

/home/
    /account/
        /public_html/       (this is your root web folder containing drupal)
            /files/         (this folder accessible from the web: public files)
        /private/           (this folder NOT accessible from the web: private files)

You have to create a folder one level above your Drupal site, at the same level as /www/ or /public_html/ folder. The server will not send files to a browser unless the request is made from within the /public_html/ directory. In this case, it is Drupal that gets the file and sends it after checking permissions.

There are some things to watch out for, though. If you set private files, you cannot display an uploaded logo from within Drupal. This is easily fixed by putting the logo into a web accessible folder, and setting the path in the theme configuration. The second is a bug in Drupal/IE6 that prevents any attached files from opening from your IE6 browser. To work around this bug, your site users will need to first save the attachment to their PC, then open it from their local computer.

infigaro’s picture

infigaro commented

Thanks for your help.
So what should I enter into the 'file system path' settings?

Base on your example, if i enter the file system path as the 'private' folder, my drupal settings will show that the directory does not exists even though I created the folder as per your example. is there any extra '/' I have to insert?

Please advise.
Thanks.

drubeedoo’s picture

drubeedoo commented

If you created a folder called "private" at the same level as your "public_html" (outside the web root), your path would look something like this:

/home/account/private

You need to know your path from the root of your server to your root account folder. In my case, it is /home/account, in yours, it may be different. Follow up with your hosting provider if you're not sure.

infigaro’s picture

infigaro commented

Yes, I manage to get the information from my host.
Just one thing to note, have to enter //home/account/private to wrok

Thanks for all your advise. :)

datamodel’s picture

datamodel commented

The above path example you gave works fine for *nix/nux platforms,

but because I have a Windows platform I entered the following value for "file system path"

C:\drupal\files

This causes me to get this error on Drupal's logs page very often:

getimagesize(C:\drupal\files/images/Dandelions.jpg) [function.getimagesize]: failed to open stream: No such file or directory in C:\Program Files\Apache Group\Apache2\htdocs\drupal-4.6.5\modules\img_assist\img_assist.module on line 632.

Obviously necessary massaging for the "file system path" value I entered was not done, and a Unix type path was expected. So How do I enter the path in the correct form?

pz’s picture

pz commented

Try C:/drupal/files

datamodel’s picture

datamodel commented

Thanks. I have tried it and will see if the errors stop showing up. Will edit this post to confirm result.

anner’s picture

anner commented

Got what you are saying, and thanks, but I can still access the files using the path from the drupal source (eg. http://wwww.myserver.net/system/files?file=my.jpg) even when I am logged out of drupal. My private file dir is /var/private and my html dir is /var/www/html. I also checked...anonymous user does not have permissions to view uploaded files.

ideas?

Interesting note: it appears to work for .doc files, but not for .jpg. If I give the url of a .doc, it says file not found, but it pulls .gif and .jpg files right up. A bug maybe?

anner’s picture

anner commented

Please....anyone? This is a big deal for security!

drubeedoo’s picture

drubeedoo commented

Hi Anner,

Yeah, I'm seeing the same thing happen. I can view a private JPG as an anonymous user via the full system path, even when I shouldn't. I'm not sure if this is a Drupal access misconfiguraton issue or a bug in Drupal. Other file types like PDF are blocked, while images show up.

Interesting...

el777’s picture

el777 commented

May be it's due to browser cache?
May be you've visited page before and image were in cache browser?

Mojah’s picture

Mojah commented

What works for me is creating a folder outside of html docs folder (www or public_html). I chmod it to 777, giving Drupal write access. Within drupal, I set the path to the private folder like this ../private

So if our structure is as follows....

www/
private_html/
public_html/(your drupal intsall in this directory)
mail/
private/

You would use ../private as your Drupal private file storage folder.

el777’s picture

el777 commented

I see here 2 solutions:

First of all: it's not requiered to move protected files out of document root - I think they may be placed in folder protected with .htaccess
Next: how to grant access to registered and "good" users to protected files and restrict to anonymous and registed but without proper rights?

Solution 1:
Each downlod goes through the PHP, script gets request, checks session and sends file.
+ Much of these is already implemented
+ Works on every hosting
- Big overload for server and perfomance drop.

Conclusion: suitable for small sites with not so big community and number files, hosted on usual php-hosting.

Solution 2
Move authentication process to apache and provide info from drupal for it. Here I've found Auth MemCookie module: http://authmemcookie.sourceforge.net/ . Using it, we may send auth info to apache - so files will be served by it directly without invocation of PHP. I think of some king of module OG-ApacheFiles which sends user info to Apache upon user login, deletes in on logout, and maintains .htaccess file with list which groups can access each folder.
+ Much faster, better perfomance
- Requires installation of extra modules on hosting

Conclusion: suitable for big sites with big community and many files, hosted of configurable hosting - you need ability to install extra software.

rubenk’s picture

rubenk commented

It seems like the authmemcookie solution is a good candidate for the handbook if you wouldn't mind describing it in detail because with o.g. and drupal's fame, many people are building bigger sites and starting to worry about performance. I sure would love the info!

Chill35’s picture

Chill35 commented

First of all: it's not requiered to move protected files out of document root - I think they may be placed in folder protected with .htaccess

What to you put in the .htaccess file in the folder to protect it ?

For example, if I am using the "files" folder and setting my File Handling to "private - files are transferred by Drupal", here is what I experience :

- putting http://www.myWebSite.com/files/ in the address bar redirects me to index.php. That's good.

- hotlinking to a file in /files still is possible : when I put the path to the file in my address bar I am able to access it and open it, should it be .jpeg, .pdf or whatever.

What am I doing wrong ?

anner’s picture

anner commented

your .htaccess should look like this:

ORDER DENY,ALLOW
DENY FROM ALL
ALLOW FROM XXX.XX.XX.XXX

where XXX.XX.XX.XXX is your web server's IP

Phillip Mc’s picture

Phillip Mc commented

Hi el777,

Big up for posting that link to authemcookie. It looks very interesting.

Any directions on how to maybe implement that alongside something like the quickfile.module or is it a big undertaking to incorporate that method of authenticating downloads?

Apologies in advance if that is a dumb question.

Phil

lias’s picture

lias commented

don't you share the same IP with all the other sites hosted on the same machine? So that would mean all those other sites would have access since they're using same IP.

anner’s picture

anner commented

I'm not on shared hosting. Yes, that would be an issue if you are sharing an IP (shared hosting http), but it would at least limit your risk. It's been so long since I tried to protect anything on a site that wasn't https (which requires a unique IP) that I hadn't thought of that.

jtk3’s picture

jtk3 commented

...upon request or for a modest additional charge. Mine does.

I think that solves the problem

gagagaga’s picture

gagagaga commented

Hi, I've looked for secure download file solution for drupal for 2 days, but I cannot find any solution.
I have a software download for my clients, they in other user group with role, I want a role can download files 1 time a day, other role can download 3 times a day, etc...
Anyone can help me ??

marcoka’s picture

marcoka commented

that second idea souds very good. im looking for a solution for that problem/methods for 2 days now and want to contribute a module after i decided what solution to use.
doing this on server side sounds very promising.