By ceccoo on

Hi,

how to make files "private"?

Its said in lot of descriptions and tuts:  set in settings.php e.g.:

$settings['file_private_path'] = 'sites/default/files/private';

Than under "/admin/config/media/file-system", under Private file system path: we see:
'sites/default/files/private'

Than again under "/admin/config/media/file-system and under "Default download method" we choose the radio button "Private local files served by Drupal."

But the uploaded files under /admin/content/media by the button "+Add media" get stored still under e.g public folder "/sites/default/files/2021-11/"

Why?
Thank you

Categories: Drupal 9.x

Comments

vm’s picture

vm commented

the private folder should be placed above the webroot and your paths changed to match for the highest level of security.

That said, if you look at the path to the files in the rendered web page you will note they are referenced using the private file path url regardless of where they are 'stored' in the file system.

ceccoo’s picture

ceccoo commented

Something is not right in my understanding.

Beside the security aspect, why its not working already, because all the steps are done:
1) settings.php
2) under "/admin/config/media/file-system", all configurations...
except the path is not the highest level of security....

Now the setting is like this, placed above the webroot:

settings.php

$settings['file_private_path'] = 'example.com/projectfolder/private';

And the configuration under /admin/config/media/file-system (screenshot)

https://nowtransfer.de/e7ef134b5d5a

mmjvb’s picture

mmjvb commented

A relative path should be relative to the webroot (DocumentRoot), not even sure it works. Looks like it can't create an .htaccess in it when it is not an absolute reference. Suggest to check recent log message category security. It should report not being able to create the desired .htaccess. It also tells you what to put into it.

After making changes you need to rebuild cache and run cron. The status page doesn't report issues about it when everything is ok.

ceccoo’s picture

ceccoo commented

Now both paths are working, but only in two aspect :(

settings.php

$settings['file_private_path'] = '/www/htdocs/username/example.com/drupalproject/private';
$settings['file_private_path'] = '../private';

1) It creates a private folder (ok)
But as you said ...(Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your private:// directory which contains the following lines:)

2) and the files get uploaded in this folder... (ok)

3) Not working! But also after creating .htaccess in the "private" folder, the files are accessible from any visitor. Why?

# Deny all requests from Apache 2.4+.
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>

# Deny all requests from Apache 2.0-2.2.
<IfModule !mod_authz_core.c>
  Deny from all
</IfModule>

# Turn off all options we don't need.
Options -Indexes -ExecCGI -Includes -MultiViews

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
  php_flag engine off
</IfModule>

I cleared cache and run cron under /admin/config/development/performance

also "drush rebuild"

The private folder has chmod 755

What is wrong?

jaypan’s picture

jaypan
Location Victoria, BC
commented

So far you have only configured your system to be able to use private files. You then need to edit the configuration for each of the file fields that are supposed to have private files.

Contact me to contract me for D7 -> D10/11 migrations.

ceccoo’s picture

ceccoo commented

Ok was going again through "Adding a file field to a content type": https://www.drupal.org/docs/8/core/modules/file/overview

It seems to work when adding content by my file-content type. But now the taxonomy/tags are not working as usual. What could be the reason? Is it connected with the other question (.htaccess)?

Thanks

EDIT: /admin/people/permissions "View media" was allowed for "Anonymous user", but uncheck didn't change anything. The content page is available which should only for Authenticated users and even the "private" media file...

leeksoup’s picture

leeksoup commented

Removed to make separate issue as unclear if my problem is the same as reported here.