Hello,

I manage a website that's running Drupal 6.25. I have two different types of files that I need to be "protected". One is just a folder containing PDFs, the other is a folder containing folders of digital newspapers (flash/html5).

Last week I used the tutorials online (not this module - tho they are practically the same thing) and got the digital newspapers area "protected". However, it somehow was messing up the flash and it wouldn't work in Safari or IE8. So I reverted it back, deleted all custom htaccess', removed the custom module, and cleaned out any references manually in sql.

So now I want to try the same thing for the PDF folder. And it just does not work...

Standard settings.... (sites/default/files/private) containing the stock htaccess file. Install went fine, setup went fine (sans the ckeditor nonsense), permissions set, all is well. But it just does not work. I've clear caches in drupal, rebooted apache, cleared browsers caches, etc. Nada.

In the (sites/default/files/private) folder I have an image, logo.jpg, and when I make ANY kind of call to it I get 'Access Denied'.

(www.url.com/system/files/private/logo.jpg) -> (www.url.com/system/files/private/logo.jpg) - 'Access Denied'
(www.url.com/sites/default/files/private/logo.jpg) -> (www.url.com/system/files/private/logo.jpg) -'Access Denied'
(www.url.com/files/private/logo.jpg) -> (www.url.com/files/private/logo.jpg) -'Access Denied'

I have no modules that even come close to effecting the hook going on here. I'm at a complete loss. And I've been working on this for 2 SOLID days now.

Thanks,
Chad

Comments

croush’s picture

croush CreditAttribution: croush commented

Just an update,

I installed this module on our other drupal site (same server...same apache/sql) and it works. However, it downloads all files, even images, instead of displaying them in the browser. And I know it's module related and not apache because I can go to a misc image folders (not private) and they are displayed just fine in the browser.

I looked into the module at the headers area and I see nothing wrong... It even has the max-age set which was not present in the tutorials I used last week.

$header = array(
      'Content-Type: '. file_get_mimetype($filepath),
      'Content-Length: '. filesize(file_create_path($filepath)),
      'Content-Disposition: attachment; filename="'. mime_header_encode(basename($filepath)) .'"'
    );
    // additional user-defined file header attributes (if any)
    return array_merge($header, explode("\n", variable_get('private_download_header', "Content-Transfer-Encoding: binary\nCache-Control: max-age=60, must-revalidate")));

Edit: I switched the content-dispo to inline and it works. And that's fine because everything we are serving we want that way.

The main .htaccess file for the site that isn't working...

# Apache/PHP/Drupal - The Daily Reporter (03/22/2012)

# Protect files & directories
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
  Order allow,deny
</FilesMatch>

# Force the latest IE or use Chromeframe
<IfModule mod_setenvif.c>
  <IfModule mod_headers.c>
    BrowserMatch MSIE ie
    Header set X-UA-Compatible "IE=Edge,chrome=1" env=ie
  </IfModule>
</IfModule>

<IfModule mod_headers.c>
  Header append Vary User-Agent
</IfModule>

# Cross domain webfonts
<FilesMatch "\.(ttf|otf|eot|woff|font.css)$">
  <IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
  </IfModule>
</FilesMatch>

# Video
AddType video/ogg  ogg ogv
AddType video/mp4  mp4
AddType video/webm webm

# Proper SVG serving
AddType     image/svg+xml             svg svgz 
AddEncoding gzip                      svgz

# Webfonts
AddType application/vnd.ms-fontobject eot
AddType font/truetype                 ttf
AddType font/opentype                 otf
AddType font/woff                     woff
AddType text/cache-manifest           manifest
AddType text/x-component              htc

# Index & Directory Options
Options -Indexes
#Options +SymLinksIfOwnerMatch
Options +FollowSymLinks
DirectoryIndex index.php
ErrorDocument 404 /index.php

# Force simple error message for requests for non-existent favicon.ico.
<Files favicon.ico>
  ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>

# PHP 4, Apache 1.
<IfModule mod_php4.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0
  php_value memory_limit                    96M
  php_value post_max_size                   32M
  php_value upload_max_filesize             32M
  php_value max_input_time                  180  
</IfModule>

# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0
  php_value memory_limit                    25M
  php_value post_max_size                   32M
  php_value upload_max_filesize             32M
  php_value max_input_time                  180
</IfModule>

# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0
  php_value memory_limit                    512M
  php_value post_max_size                   32M
  php_value upload_max_filesize             32M
  php_value max_input_time                  180
</IfModule>

# Gzip compression.
<IfModule mod_deflate.c>

# html, txt, css, js, json, xml, htc:
  AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript application/javascript application/json
  AddOutputFilterByType DEFLATE text/xml application/xml text/x-component

# Webfonts & SVG
  <FilesMatch "\.(ttf|otf|eot|svg)$" >
    SetOutputFilter DEFLATE
  </FilesMatch>
</IfModule>

# Requires mod_expires to be enabled. Set caching to 2 weeks after access.
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault A1209600
  <FilesMatch \.php$>
    ExpiresActive Off
  </FilesMatch>
</IfModule>

# Various rewrite rules.

<Files *.js.gz>
  AddEncoding gzip .js
  ForceType application/x-javascript
</Files>

<Files *.css.gz>
  AddEncoding gzip .css
  ForceType text/css
</Files>

<IfModule mod_rewrite.c>

  RewriteEngine on

  # Force WWW
  RewriteCond %{HTTP_HOST} ^thedailyreporteronline\.com$ [NC]
  RewriteRule ^(.*)$ http://www.thedailyreporteronline.com/$1 [L,R=301]
  
  # Set base URL
  RewriteBase /
  
  # Clean URLs
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
  
  # Custom Gzip for AGG CSS & JS
  RewriteCond %{HTTP:Accept-encoding} gzip
  RewriteCond %{REQUEST_FILENAME}.gz -f
  RewriteRule ^(.*)\.css $1.css.gz [L,QSA]
  RewriteCond %{HTTP:Accept-encoding} gzip
  RewriteCond %{REQUEST_FILENAME}.gz -f
  RewriteRule ^(.*)\.js $1.js.gz [L,QSA]
  
</IfModule>

# Without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist.
Options -MultiViews 

# Use utf-8 encoding for anything served text/plain or text/html.
AddDefaultCharset utf-8

# Force utf-8 for a number of file formats.
AddCharset utf-8 .html .css .js .xml .json .rss

# We don't need to tell everyone we're apache.
ServerSignature Off

# $Id: .htaccess,v 1.90.2.5 2010/02/02 07:25:22 dries Exp $
croush’s picture

croush CreditAttribution: croush commented

Because my .htaccess file for the main site is rather customized, and the site that private download is working on isn't, I switched them to see what happens. Still nothing. Rewrites work but all I get is 'Access Denied' errors, even with the super user.

Flushed all caches, rebuilt all permissions, rebooted apache, flushed browsers, tried 5 diff browsers, nothing.

croush’s picture

croush CreditAttribution: croush commented

Well I figured this out after 2+ solid days of hair pulling and teeth grinding.

One word, CKEditor. That's right, I have no idea what it was doing but I turned it off and it worked. Actually, it even fixed what wasn't working last week.

All I did was update to the newest CKeditor (which just came out) and everything is fine.

Chad

johnhanley’s picture

johnhanley CreditAttribution: johnhanley commented

Hi Chad,

Sorry, I was at DrupalCon all last week and am just now catching up on everything.

Yeah, WYSIWYG editors wreak havoc when editing plain text. You'll want to either disable it for the .htaccess field or add an exception in the WYSIWYG settings to suppress it entirely.

Anyway, I'm glad you figured it out.

John

johnhanley’s picture

johnhanley CreditAttribution: johnhanley commented
Component: Miscellaneous » Documentation
Status: Needs work » Closed (fixed)
aangel’s picture

aangel CreditAttribution: aangel commented

Wow, you just saved me loads of trouble. THANK YOU for posting your solution about CKEditor. The module wasn't working for me, either, and I had run out of places to look. I saw this issue, followed it to the end and voilà, problem solved. I turned off CKEditor and the module now works!!

Going to upgrade CKEditor now and if I don't post again, the problem is resolved.

msathesh’s picture

msathesh CreditAttribution: msathesh commented

Thanks for the module. I wasn't able to make my code work (followed from the blog post anyway). It didn't work until I disabled mine. Thanks once again.