I have my "Download method" in the File system config set to private. But it looks like anonymous users can still access files via URLs like /system/files/some_file.pdf

Looking at the /admin/user/permissions page, I don't see anything that can be used to control access to files via these /system/files/ URLs. Perhaps I should use htaccess to direct people away from URLs with '/system/files/' in them? That would effectively prevent everyone from accessing the files via that type of URL, so I would then need to write a module (with built-in access controls) to allow select roles to access the files via some other URL format. I'm a little surprised that would be necessary, though. Is there no setting in the 6x core to restrict access via these /system/files/ URLs? Am I missing it?

Thank you,
Ryan

Comments

kscheirer’s picture

Setting the download method to "Private" doesn't have any effect by itself.

It's unfortunately named, and things were cleaned up a lot in 7. If possible, I recommend using 7 for any sort of trickiness around public/private files.

If you're stuck in 6 though, what the private download setting does do, is fire off an extra event, hook_download() I think, that gives you an opportunity to verify that the user can download the requested file. So once you implement this hook, you can get real private downloads.

Also check out http://drupal.org/project/private_download, especially if you're not a coder.

----
Top Shelf Modules - Enterprise modules from the community for the community.

webcomm’s picture

"Setting the download method to "Private" doesn't have any effect by itself."

I understood that this was a bit of a misnomer and "private" just means outside the install directory. However, I figured there must be some setting elsewhere to control file access per user. In my post I mentioned I'm using the private method in case that might be pertinent in some other way I wasn't aware of.

"It's unfortunately named, and things were cleaned up a lot in 7. If possible, I recommend using 7 for any sort of trickiness around public/private files."

I'm hesitant, for the moment. New releases -> new bugs. But if Drupal 7 has per-user file access (or even node access) in the core, I might consider it. : )

"If you're stuck in 6 though, what the private download setting does do, is fire off an extra event, hook_download() I think, that gives you an opportunity to verify that the user can download the requested file. So once you implement this hook, you can get real private downloads."

hook_file_download() checks for "access content", but that's it, and that's hard-coded in. In any case, I have no doubt I can grant access to the files in a fine-grained way in my module by wrapping something around file_transfer(). I'm just a little surprised that, meanwhile, I need to use htaccess to block access via the /system/files/ URLs, if indeed that's the case.

"Also check out http://drupal.org/project/private_download, especially if you're not a coder."

Thanks, I'm a coder. What I'll be working towards, in the simplest way possible, is per-user file access. I believe there are some existing modules and/or combinations of modules that make this possible already, but I'm spooked by some of the bug reports I see in those modules. At first glance I don't think the private_download module will be useful in this case.

Thx.

webcomm’s picture

I wasn't clear in that last paragraph. What I meant is, I'll just go ahead and write a module... a really simple one hopefully.

kscheirer’s picture

It's hook_file_download(). The basic example just checks user_access(), but you're free to write a more complicated check. The return values are a little strange too, -1 to deny access, or an array of headers to grant it.

----
Top Shelf Modules - Enterprise modules from the community for the community.

capoyeti’s picture

Hi webcomm,

please keep us posted on your progress - I would love to move to D7, but am using too many other modules that aren't ready for 7 yet..

Cheers,

WorldFallz’s picture

You actually don't need a module for this. Keep the file system public, use a filefield, and implement the method described at http://drupal.org/node/540754. In d7 it's much improved-- filefield is in core and you can select public/private per fielfield right in the settings for the field itself.

_
Care about the future of the Drupal.org forums? Please join our conversation and show support for improving the forums infrastructure.

capoyeti’s picture

following this..

vitok-dupe’s picture

Subscribe