I've upgraded to the latest version of Drupal (v. 6.19) and newer versions of the following modules: Admin role, Admin menu, Backup and Migrate, CCK, IMCE and Pathauto. After running update.php with no issues, all the images on my website disappeared. The path on the page for images is http://mysite.com/system/files/filename.png, but when I clicked on that link, I got "Access denied." The files directory has read/write permission. All boxes in admin/user management/permissions are checked (the problem exists even if I logged in as user-1). I have sites/default/files as the file system path, and the download method is set as "Private". I briefly switched to "Public" to see if it can help, but since it did not, I immediately switched back to "Private". I can see the file if I point the browser directly to http://mysite.com/sites/default/files/filename.png, but why is the mismatch between the paths? I tried to create a new page and insert an image there using as usual a combination of FCKeditor and IMCE. When I opened the IMCE file browser and pointed to the image, it did not show up in the preview window. I still clicked on the "send to FCKeditor" button and inserted the image, but the image cannot be seen on the page. What is the problem? What am I missing? PLEASE HELP! I have this problem on both the development (local machine) and production site.

Comments

roddy003’s picture

The problem solved; it was a bug in the the backup and migrate module v.1.3. When I replaced it with version 2.2 all images became visible. What is strange, however, is that, even if the file system is set to Private, anyone can access images by pointing the browser directly to http://mysite.com/system/files/filename.png. Why is it so? Is it because I uploaded files via FTP? Or is it because the /sites/default/files directory is within the root directory? Or am I missing something else?

vm’s picture

it's because you didn't move the folder above the public root. where noone but logged in users would be able to be directed.

roddy003’s picture

If I move the folder above the public root, I would not be able to access it via FCKeditor with IMCE, which shows only the folders and files below sites/default/files.

vm’s picture

then you can't use a truly private file system or you must split it between private and public using private_upload.module and private_download.module and keep only the "truly" private files above public root.

roddy003’s picture

It looks like the private_download module eliminates the need to keep private files above public root. After its activation it creates a folder called "private" within /sites/default/files and places .htaccess file there that emulates the private file system setting. And what's important it also allows to set permissions for certain users. The latter is lacking in the Drupal's private system setting. As a result, setting the file system to private does not make it private unless you keep the files above public root. Here is what I did after installing and activating the private_download module:
1. Set file system to public
2. Backed up the database, opened it in a simple text editor and replaced all text strings "/system/files" with "sites/default/files"
3. Uploaded (ftp) most of my files into sites/default/files... and a small number of sensitive files into sites/default/files/private folder.

Now the web pages (some have many images) seem to load faster. The path to the files in the sites/default/files/private folder is converted from http://mysite.com/sites/default/files/private/image.gif to http://mysite.com/system/files/image.gif, and if an unauthorized user type it directly into the browser he gets "Access denied", as it supposed to be.

Unfortunately, the private_download module allows only one folder. Creating subfolders under folder /private does not make the files in those subfolders inaccessible. Moreover, when I deleted those subfolders, the files in the folder "private" became accessible by directly typing in the browser the address http://mysite.com/system/files/image.gif, although the file .htaccess was still there. So I needed to do all things again, deleting the folder private and reactivating and setting the private_download module to get this "Access denied" page for unauthorized users.

Now I am wondering if Drupal itself allows to work with subfolders when the file system is set to private. Maybe something similar happened when I created subfolder under "sites/default/files" and files I placed there became accessible by directly typing there address in the browser?

vm’s picture

.htaccess may need to be modifed or copied to the subdirectory in use?

roddy003’s picture

I tried it briefly and after it did not work after a couple of attempts I gave up and opted to live with just one private directory :-(