Jump to:
| Project: | FileField |
| Version: | 6.x-3.2 |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
Hi,
I'm using FileField for mp3 files, which are intended for access by 'subscribed' users (they have a role). I have setup the file field permissions appropriately, and in my views templates, prevent the display of the mp3 file links unless the user has the correct role. However, I can copy the file's URL and in another browser, as an anonymous user, access the file directly.
I have setup Drupal's file system for public downloads, as I also have some non-protected files for general user use.
How can I successfully prevent direct links to the files?
I've looked at the dicussions at http://www.drupalcoder.com/story/406-mixing-private-and-public-downloads... and http://drupal.org/node/189239, but these seem to relate more to the standard file uploads rather than filefields and CCK.
Any clues would be most welcome.
Comments
#1
The "Private" file system set at admin/settings/file-system will protect all files on your site, including those uploaded by FileField. However the private file system has gargantuan performance problems and I'd discourage you from using it at all costs, unless you're using a system to speed them up such as http://drupal.org/project/xsend. However private files still prevents you from using the CSS aggregator, which is pretty crippling even if you speed up the actual transfers through something like xsend.
Note that you cannot switch the storage mechanism from public to private without manually updating your database and moving files around. Just changing the setting does nothing to your existing files, it will only affect new files that uploaded after the setting has been changed.
#2
I think, I have a workaround for this problem. It's a "wrapper" around file field and involves some apache url rewriting. Not too pretty, but way better than having a completely private filesystem. I currently keep that add-on module in my blog:
http://www.onyxbits.de/content/drupal-and-problem-protecting-uploaded-files
For details on install and setup, see included README.txt
#3
Easy fix described in this handbook page: Restrict specific folders from public download (via .htaccess)
Allows you to use a public file system on your site but run a check on access permissions for files in a specific folder. I've got this working with FileField 6.x-3.2 to restrict file downloads via URL by anonymous users.
#4
This version of Filefield / imagefield does NOT respect the private file system setting and any related anonymous permission setting.
#5
Isn't there some solution to mixing private and public files, similar to how Upload and the module Private Upload work? FileField is a hundred—nay, a thousand!—times better than Upload, and I've had problems with the Private Upload module... but I like the idea of having a convenient way to assign specific files within a node to be private without having to maintain .htaccess files everywhere or *shudder* messing with the private files feature in Drupal. Is there no module that plays nice with FileField to make this happen?
#6
There's content permissions with the content module, but not a per file permission as far as I know.
For my scenario, the only method of anonymous access for imagecache to a private imagefield requires a double layer of .htaccess files.
One closed .htaccess in the files directory and others undoing your work in the imagecache and related "image" thumbnail directories.
#7
Unfortunately Drupal's file system handling is all-or-nothing private or public. However I think the approach recommended by metastate in #3 is probably the best way to go, where you use public files and then manually redirect certain directories through the private file system handling. In Drupal 7, this has been fixed with the new FileAPI, and the Drupal 7 FileField (now included in core, Upload module is dead) let's you choose per-field which ones you want to be public or private.
#8
subscribing
#9