6

I need to develop a site on Drupal 7. I have some content types with File fields in CCK. And access to nodes of these types should be granted only to specific Drupal user role. And at any moment site administrator should be able to make these Nodes 'public' or 'private'.

I can make nodes visible only to specific user roles, but this is not secure enough. If anonymous user knows the path to file ( www.mysite.org/hidden_files/file1 ), he can download it.

What is the most elegant way to solve this problem?

Thanks in advance.

mechmsk
  • 129
  • 2
  • 3
  • 8
  • I haven't used this module, but I'm going to install it. It allows you to restrict access to files by role. https://drupal.org/project/file_access – David Pugh May 15 '14 at 04:05
  • 1
    Another restriction of private files by role, but not in alpha https://drupal.org/project/private_files_download_permission – David Pugh May 15 '14 at 04:51

1 Answers1

9

Check out this documentation here: http://drupal.org/documentation/modules/file

Specifically, the section titled "Managing file locations and access" which talks about setting up a private data store (all supported by Drupal 7, it just needs to be configured).

To paraphrase, create a folder such as:

sites/default/files/private

Put a .htaccess file in that folder with the following to prevent direct access to the files via the web:

Deny from all

(the documentation claims that the following step does the above steps automatically, I haven't tested that unfortunately but you may be able to save some time if you skip the above two steps)

Log into Drupal's admin interface, go to /admin/config/media/file-system, configure the private URL and select Private Files Served by Drupal as the default download method.

In order to define the fine-grained access to nodes and fields, you can use Content Access: http://drupal.org/project/content_access

You will also need to edit your content types and set the file / image upload fields to save the uploaded files into Private Files instead of Public Files.

At this point, the node and field level permissions will determine whether or not users are allowed to access the files which will be served through menu hooks that verify credentials before serving the file.

Hope this helps.

Alex
  • 186
  • 1
  • 4
  • 1
    Actually, you can also set the private directory to be outside of your web root, such as (relative to server root) /home/[your-account]/private. Make sure the directory is writable by Drupal, which depending on your server config can have a variety of different permissions and group privileges. – Alex Mar 24 '12 at 07:51
  • Thanks a lot! I mark this answer as 'accepted'. Sorry, not able to mark it as 'useful', because I have reputation < 15 – mechmsk Mar 24 '12 at 10:23
  • No worries, happy to have been of assistance. – Alex Mar 24 '12 at 17:31
  • 1
    As a matter of fact, even if you use the drupal file system and set your file field to use private file system. As long as your node containing the file is published anyone with direct link will be able to download your file. There is no file level access control only node level and even if your node cannot be accessed by everyone, the file will be! – Nir Dec 17 '12 at 16:09
  • @Nir: so it is no useful to set files as private when they are public in real? Why should I create private files when I need to set them as private with another tools? I think Drupal is little tricky in setting private files. – tomas.teicher Apr 19 '13 at 01:41
  • @Nir: Having .htaccess `Deny from all` takes care of that. The web server (if you're using Apache) is not going to serve that file directly no matter what. – Davor Cubranic Dec 17 '15 at 18:36
  • Is it possible to *only* allof private upload? If e give some users the permission to upload to the private dir, they have the **choice** to upload into public or private. But I want them to have no choice, they just should be able to upload into *private* - How can I manage that? All permissions that I set did not help. – nerdoc Feb 28 '16 at 19:33