I've just set up a new store running Commerce File 7.x-1.0 and I've added 2 test files. When I log out, those files are visible and downloadable by anyone that's not logged in. The files are set to to upload to "Private files". I'm also running Filefield Sources and on Product Variations I've selected "File attach from server directory" as I upload these files via an ftp program and then I select "File Attach" when I want to select the file that's in the "/file_attach" folder on my server as per documentation.

It's maybe helpful to mention that the path to the file that I'm viewing while I'm logged out is "mywebsite.com/system/files/07%20Wake%20Me%20Up_0.m4v" ...if that's of any help.

I've gone into my Product Display and hid "File" so the file doesn't display on the Product Display but would like to secure it the proper way...what am I doing wrong that anyone could download these files?

Thank you

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hmartens’s picture

bojanz’s picture

Sounds like you misconfigured the private files, they are coming from the same directory as the regular files.

bojanz’s picture

Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.