Restrict direct URL view/download for images
Hi,
Thanks to drubeedoo for solving the issue of linking the files directory to a folder below my web folder at Private files
By Setting the drupal site as 'private - files transfered by drupal' , anonymous users should not be able to see the images. This is correct as if I browse the web site as anonymous, I will not be able to see the images using on my site's drupal pages
However, if the anonymous person know the location of the images using the image path like the example below
www.myexamplesite1.com/system/files?file=images/Image1.thumbnail.JPG
they will be able to view the image on the browser. I tried and only images files and video files are direct viewable even by anonoymus users.
So how to we prevent direct URL access to view/download the images?
Is that the image module or is it apache settings?
This is rather important in order to protect the images for registered users only.
infigaro
This is the last thread I
This is the last thread I wanted to read two days before the launch of a site I've been working on for months.
All the roles, permissions, etc I've created and all someone needs is the url and they can view the image(s).
nice.
Is there a solution for this?
Path access module
I haven't tried it, would expect the path access module to solve that problem. http://drupal1.osuosl.org/node/48498
I'm using Gallery2 embedded to achieve the same thing via roles/groups, and any attempt to reach an unauthorised URL comes up access denied.
(edit)
I forgpt; I have also put an .htaccess file in the images directory:-
Order deny,allowdeny from all
allow from localhost
This willl prevent access from all external hosts, but allow Drupal access to serve your images.
Regards
Tony Sleep
is that all that's in the
is that all that's in the .htaccess file or did you copy your original file and just add that?
Thanks,
Jeff
,htaccess
If there is one already, add those lines. If there isn't one, create one with those directives.
Regards
Tony Sleep
Tony... So you're telling me
Tony...
So you're telling me if I add this.....
Order deny,allow
deny from all
allow from localhost
to a file and save it as .htaccess anyone that types in http://www.example.com/files/images/example.jpg will get an error?
If so its not working for me. Any chance you can email me your .htaccess for the images file?
Thanks,
Jeff
Mine says
Mine is located in http://www.example.com/files and says (copy & pasted):-
========
IndexIgnore *
Order deny,allow
allow from localhost
deny from all
========
I get 'page not found' if I try to access http://www.example.com/files/images/example.jpg directly. I just checked. Permissions on the images folder are 740.
However, discussion elsewhere points out that if you use http://www.example.com/system/files?file=example.jpg instead - and that's the URL you get if you copy the image URL whilst logged in - this has no effect as Drupal is doing the serving. The path_access module should fix that, and/or jiggery-pokery with Apache mod_rewrite in .htaccess should be possible. See http://drupal.org/node/61464#comment-129165
Regards
Tony Sleep