Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By jcornwellshiel on
To start things off, I'm running Windows Server 2008, IIS7 (with URL Rewrite Module for clean urls), PHP 5.2, and Drupal 6.16.
Possibly related, I'm also using the Webserver Authentication Module for Drupal to authenticate users against the local domain via IIS7's Windows Authentication.
The issue is this... all files uploaded through Drupal's Upload Module OR FileField/ImageField are inaccessible on the web site. Attempting to access them directly via the browser (e.g. - http://drupal-serv/sites/default/files/test.jpg) results in IIS throwing a 500 error.
Upon investigating the uploaded file directly, I find the following permissions set:
C:\inetpub\wwwroot\sites\default\files\test.jpg
Owner: DRUPAL-SERV\Administrators
DRUPAL-SERV\Administrators - Full Control
DRUPAL-SERV\IIS_IUSRS - Special Permissions (List files/read data)
The parent folder (C:\inetpub\wwwroot\sites\default\files\) on the other hand, has considerably more access allowed. It is set to not inherit any permissions from its parent, but to pass its permissions on to its children.
In testing, I've given a lot more than it should eventually have, but here we go.
Owner: DOMAIN\Everyone
DRUPAL-SERV\Administrators - Full Control
DRUPAL-SERV\IIS_IUSRS - Full Control
DOMAIN\Everyone - Full Control
I've tried using the CCK FileField Module and a custom path for uploads (C:\inetpub\wwwroot\sites\default\files\[user]) with no change in the behavior. In fact, when the first file is uploaded, it creates the new directory with the proper inherited permissions, but the uploaded file's permissions still appear as noted above.
To make things even more confusing for me, when using the CCK ImageField Module to upload a file the uploaded file has the restrictive permissions, but the ImageField-generated thumbnail inherits permissions properly.
The ImageCache Module is able to create thumbnails, which means that it is able to access the files. Furthermore, the ImageCache thumbnails are visible to the web site users, as they receive the inherited permissions from the \files\ folder.
It's my understanding (though I may be wrong) that when using ISS7's Windows Authentication, the permissions of the user you authenticate as are used to determine whether you can access files.
Any ideas on what the cause of all this could be, or how to fix it?
Comments
check your logs?
I don't have an idea what's causing the problem, but I would start by checking my PHP error log and my site's admin/reports/dblog to see if there are any suspicious entries there.
The fact that files upload properly makes me suspect that it isn't a permissions issue at all, but a module issue.
re: check your logs?
No luck. admin/reports/dblog doesn't log anything for the upload events, and logs success for the page creation.
The reason I suspect that it is a permissions issue is that the files *do* appear on the server, but the files' permissions do not allow viewing by users, whereas the files created as a result of PHP's image manipulation functions inherit their parent folder's permissions.
I'm going to compare the code for saving thumbnails vs saving the original image in the ImageField module this weekend, and report anything I find.
same issue
I was having this exact same issue. Strange settings change was causing this for me:
Check your temp directory... under admin/settings/file-system...
I changed mine accidentally to "/tmp" instead of "tmp" and it wasn't reporting any errors about writing to the directory. It was just having that weird permissions problem.
Hope this helped.
I have this same issue.
Did you ever find a solution ti this problem? I am experiencing exactly the same issue in the same environment. Thanks
me too
also having the same issue... any help would be GREATLY appreciated.
will report back if i uncover anything.
joe
Same problem here..
I am having the same issue... I cannot do anything with the image unless I manually log in to IIS and fix the permissions.
When I try to view the image via IMCE it shows the file, but when I click on it is broken. Once I fix the permissions, it is immediately available.
Security Solution
We have found the basis of the problem, and the solution as well. The solution is prefaced by the fact that in windows, a moved file keeps it's original folder's permissions, a copied file gets new permissions. While not verified, I believe what is happening is that the file is initially being uploaded to the phpuploads folder (or some temporary directory). The file is then "MOVED" to the \files\[user] folder. When the move occurs, if the originator folder (temp folder) does not have the proper credentials, the moved folder will not be read by IIS. We created a new temp uploads folder and gave that folder the same permissions as the drupal project. Now all is well with the uploads.
The reason that the thumbs can be read (from the start), is that they are "COPIES", the copies take their security from inheritance, and they are good to go from the start.
Permissions on PHP upload tmp directory
I just ran into this issue as well. Turns out that in IIS, when PHP moves the uploaded file from the tmp directory (upload_tmp_dir in php.ini) to its final destination, the permissions don't go with it. So, instead of inheriting the permissions from the parent folder, you're getting the permissions from the php upload tmp directory.
Specifying an upload_tmp_dir in php.ini with permissions that pass the desired permissions to it's children should do the trick.
Hope that helps!
problem solved
I was having the same problem. I could upload an image but when I clicked on it the image would not display. When I looked at the permissions some were not getting applied to the file, as soon as I manually applied them the file would work. I found that in my case I went to IISm, for that website and then choose authentication. Under authentication I chose Anonymous Authentication and clicked on edit and changed the identity from specific user to Application pool. That solved all of the problems that I was having with my site.