Hello,
I am confused about how to use IMCE with the private file system. What is the best way to use IMCE with the private file system?
I cannot upload files into nodes with the IMCE browser unless I uncheck the box "Disable serving of private files" in the 'Common Settings' of IMCE's configuration page. And if this setting is unchecked, can anyone with the URL access those files? This somewhat defeats the purpose of the private file system, doesn't it?!?
Are there modules I could use to restrict access to those files? Or do I not understand this correctly?
Thanks for your help for a newbie. :)
Andre
Comment | File | Size | Author |
---|---|---|---|
#15 | 1174782-extended_private_file_system_handling_.patch | 7.92 KB | gaborpeter |
Comments
Comment #1
ufku CreditAttribution: ufku commentedIMCE does not apply any restriction while serving private files. You need a custom module for that. I don't know of any.
Comment #2
rconstantine CreditAttribution: rconstantine commentedThis only applies to when you have multiple untrustworthy users using IMCE, while they use IMCE, right? I mean, when the node displays, the image still gets served by Drupal via the private route if I understand this correctly. And if you trust all of your IMCE users, then who cares how the file gets served to the file browser. Am I wrong?
Comment #3
ufku CreditAttribution: ufku commented@rconstantine, it's about how you want to restrict access to the site files. If you don't want any restrictions, there is no reason to use the private file system. Public files are served by apache which is way faster than serving private files by PHP.
OTH, if you want some kind of restriction, you will need a custom module that prevents serving of files by applying a set of predefined rules.
Comment #4
Miao1994 CreditAttribution: Miao1994 commentedHi,
I'm not sure if this is the right thread, but I have a matter using IMCE and private file system. Module seems work well, nevertheless when Users click on a file to download the browser doesn't show the correct filename in the downloading windows. For instance, Firefox 7.01 shows a random mix of letters (containing file extension); IE9 shows IP or name server. This behaviour doesn't appear using public file system: filename showed is correct.
Thanks in advance.
Claudio, Italy.
Comment #5
Miao1994 CreditAttribution: Miao1994 commentedHi,
I just solved the issue described above enabling rewrite rules and clean-urls. I'm not skilled enough to understand the reason; I hope this may help someone.
Comment #6
yoclaudio CreditAttribution: yoclaudio commentedIf you don't find any module #1 is saying, this worked fine for me:
Edit imce.module file and change:
to this that will limit private file access to authenticated users (role ID = 2):
In #266549: directory protection from leeching there is a more interesting patch, but for IMCE in Drupal 6.
Comment #7
peterx CreditAttribution: peterx commentedWould it be possible for IMCE to call something to check? We could then put hooks into nopremium and similar modules for IMCE.
hook_imce_can_i_display_this_image($user, $page, $image);
The add other modules can then decide based on the user or page or image.
Comment #8
ufku CreditAttribution: ufku commented@petrex, you don't need IMCE to define a hook for file access. You can use hook_file_download().
Comment #9
MickC CreditAttribution: MickC commented#6 worked to stop anonymous access, but not to control specific user access - one user could see another users files.
The test was to:
1 - log in as user A, double click a file - file opens in new tab showing URL - copy URL
2 - logout - get access denied when trying to access the URL - no anonymous access
3- log in as user B - access to the url is granted
@yoclaudio, thanks for this workaround - a good start, but I wonder if it's possible to improve the workaround for individual user access?
It may not be a massive problem, as it's unlikely user B will know specific URL's for user A's files.
However we know from this test it is not as secure as we'd like.
Any thoughts?
Comment #10
romainj CreditAttribution: romainj commentedI changed some of the code of #6 to restrict access to anyone except the owner of the private file.
ORIGINAL CODE
MODIFIED CODE
Remember that we shouldn't modify modules' code!
Hope this will help.
Comment #11
borys CreditAttribution: borys commentedHi,
as romainj said modifying of modules' code is not good idea, so you can add this hook in your own module.
I needed to add some restrictions to IMCE (version 6 of module, but it should be the same for 7) files, and this is my solution:
p.s: Inspired by drupal core Upload module.
Comment #12
valentin schmid CreditAttribution: valentin schmid commentedHi,
here's the drupal7 version of borys hook in #11
Comment #13
vistree CreditAttribution: vistree commentedHi Valentin,
your code works fine for Drupal 7. But there is a small bug: you have to define $user before the line using it.
So insert
before
If you only want to secure files from being accessed by anonymouse user use
instead of
Comment #14
MatthijsB CreditAttribution: MatthijsB commentedValentin's code in #12, combined with the first fix in #13, works for me too (Drupal 7.34, IMCE 7.x-1.9, IMCE for FileField 7.x-1.0).
Comment #15
gaborpeter CreditAttribution: gaborpeter as a volunteer and at Penceo commentedIn our project we need to use iMCE with private file system where also other files not added by IMCE represent.
So we did the following changes in the module:
file_download hook
first checks if the current user has access to iMCE, if so it matches the file path with the path given in the IMCE profile directory list, thus not giving access to files outside to the directory
This checks makes available to see all files / thumbnails in this upload dir for users who are logged in, while editing nodes etc.
The 2nd part of the function is for users who don't have access to an IMCE profile, let's say anonymous users. In this case, the file_usage table is used.
node operation hooks (insert, update, delete)
Managing the file_usage table for files attached as images to textareas in nodes. Thus if you add an image with IMCE to a node, only those users will see the image who have access to the node as well. In our case this is very handy as we have per node based grant settings.
We have also removed the checkbox for turning on and off global access to private files, as actually these changes should be a replacement solution for that.
In the future this solution should be upgraded to any entity not only to nodes.
Comments and feedbacks highly appreciated!
Comment #16
Drupa1ish CreditAttribution: Drupa1ish commentedComment #17
Peter Arius CreditAttribution: Peter Arius as a volunteer commentedPatch #15 looks very promising, but is there an update?
Trying with
IMCE 7.x-1.9
IMCE for FileField 7.x-1.1
Drupal core 7.41
PHP 5.5
Files uploaded via File Field (core upload, not via IMCE yet) to the private file system are not served at all (white screen).
There are lots of PHP messages, like:
Notice: Undefined variable: file in imce_file_download() (line 149 of .../sites/all/modules/imce/imce.module).
Notice: Trying to get property of non-object in file_get_content_headers() (line 2554 of .../includes/file.inc).
Notice: Undefined index: node in imce_create_node_file_usage() (line 744 of .../sites/all/modules/imce/inc/imce.admin.inc).
Warning: Invalid argument supplied for foreach() in imce_create_node_file_usage() (line 744 of .../sites/all/modules/imce/inc/imce.admin.inc).
Comment #18
MmMnRr CreditAttribution: MmMnRr commentedHi everyone,
I tried with solution from valentin schmid (comment #12) and it worked perfectly (with changes from comment #13).
So the point is to develop a custom module that implements "hook_file_download(...)" and define some roles and IMCE profiles.
Then, you can use the IMCE media browser by visiting either of the following URL's:
http://yourbase.url.com/imce/public
http://yourbase.url.com/imce/private
Private files downloads will be controlled by the custom module.
Comment #19
Peter Arius CreditAttribution: Peter Arius as a volunteer commentedThere is a companion module IMCE private files which seems to do just the right thing. Haven't finished testing it yet, though.
Comment #20
thallesThis looks solved!
Comment #21
thalles