Setup:
Drupal 6.26
CKeditor-Module 6.x-1.11
Ckeditor 3.6.4
CKfinder 2.1

Hi,

my Drupal site uses private downloads and stores uploaded files outside of the drupal directory. I have to deal with the following situation:

When I upload a file to my site with the ckeditor, using the ckfinder file browser, a link gets generated to the file using the "/system/files/editor/files/" path.

When the "Enable access to files located in the private folder" checkbox in the Ckeditor Global Profile is not checked, no user can access this file. If I try to access the file, I receive a 404 message (please note that it's 404 - page not found - and not 403 - access not allowed!).

When I check "Enable access to files located in the private folder", the file is accessible. However, the file can be accessed by anyone who knows the link. You don't have to be logged in to access the file! This effectively nullifies the purpose of private downloads. Is this really "working as intended" or is something amiss here? Another thing I'm wondering about is why I receive a 404 instead of a 403 error when I try to access the file when "Enable access to files located in the private folder" is not checked.

Any help is highly appreciated.

Comments

mkesicki’s picture

mkesicki CreditAttribution: mkesicki commented
Status: Active » Closed (works as designed)

In CKEditor global profile description to "Enable access to files located in the private folder" option is:

Use this option with care. If checked, CKEditor will allow anyone knowing the URL to view a file located inside of the private path (I:\www\drupal\sites\default\files), but only if there is no information about the file in the Drupal database. If the path below is specified, anyone will have access only to that location.

Everything works as described. Please use "Location of files uploaded with CKEditor in the private folder" option to set subdirectory into private directory. After setting this CKEditor will give access only to this subdirectory.