File download security
jam1401 - September 3, 2006 - 18:15
I have been trying to secure my drupal site to prevent files that have been uploaded being downloaded by a non authenicated user.
This is what I have done
administer->settings->filesystem-settings
path = ../../files (i.e. not inside the web context)
download method = private
administer->access-control
View uploaded files = unchecked for anonymous user
I also have the securesite module which is set to enable http authorization on everything except for /?q=logout
I thought the above was doing okay until I tried this method of access
http://[my host]/drupal/?q=system/files/foo.txt
Lets me get the file no matter what
Is there anything I can do to secure this mode of access?
Does it still happen
If you disable the http authentication and go back to the standard?
What happens if you try a browser that hasn't logged into your site before?
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
Example Knowledge Base built using Drupal
The same thing happens
I had ruled out cached credentials by accessing from a fresh machine.
I went and did as you said, used another fresh machine (i.e. a machine that had never accessed the site) and the same thing happened. I could download the file without any problems.
regards
Jeff
Did you try
disabling the http auth (ie the securesite module) to see if that was the problem?
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
Different results on my site
I was worried my files might also be exposed, so I just tested a somewhat similar setup in one of my environments and didn't get the same result. Here's an outline of my test (with Drupal 4.7.3):
location for files = ../files
file access method = private
access control settings for anonymous user:
- comments module = access comments
- node module = access content
- upload module (view uploaded files = false)
created page node and attached file (via upload module)
attempted access via http://www.example.com/?q=system/files/foo.txt (worked)
logged out
attempted again via http://www.example.com/?q=system/files/foo.txt (Access Denied -as it should be)
logged in
changed access control settings for anonymous user:
- upload module (view uploaded files = true)
logged out
attempted again via http://www.example.com/?q=system/files/foo.txt (worked)
This doesn't point to why things aren't working in your environment, but it does show that what you're seeking to do is possible.
JM
Very Puzzling?
JM what you describe is what I expected from my settings.
This only difference is that I am running 4.7.2 - I will upgrade to 4.7.3 and see if that fixes my problem.
I can't think of anything else at this point.
thanks for your pointer...
Jeff
Two steps forward, one back
Well I discovered I had the filerequest module loaded (forgot). When I disable this module I cannot access the files using the http://www.example.com/?q=system/files/foo.txt method. However I cannot do this no matter if I am logged in or not! I just get a file not found error (nothing about access denied)
If I re-enable the filerequest module then it is open access again so I suspect this module has something to do with it.
I think that somewhere along the line I must have screwed up my configuration and I cannot seem to undo it. So I think I am going to re-install a clean system and start again.
Can't think of anything else anyway!
thanks
Jeff
Perhaps this has some bearing
Just found this post
http://drupal.org/node/75087
I will apply the patch and see what happens.
Yahtzee!
This patch solved the problem.
http://drupal.org/node/75087
hi guys
i am having another issue which is i have uplaod file and now my login users hit the browser and download files and now i am stuck what to do to restrict them to hit files urls from browsers can anyone help me out?