Hi,
'Private Download' doesn't protect files in subdirectories. Configuration: CCK, Filefield, Filefield paths; the latter one creates subdirectories for file storage below the private file directory; those subdirectories are created dynamically with tokens.
Drupal file directory: sites/default/files
Private files directory: sites/default/files/private
The files to be protected reside in subdirectories of /sites/default/files/private
.
sites/default/files/private
has this .htaccess file:
$ cat sites/default/files/private/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /system/files/private
RewriteRule ^(.*)$ $1 [L,R=301]
</IfModule>
Subdirectories have no .htaccess file.
Is there any change to get 'Private Download' working together with dynamically created subdirectories?
Thanks, -asb
Comments
Comment #1
johnhanley CreditAttribution: johnhanley commentedIt's an interesting idea. We need to devise a way to programmatically insert a .htaccess file each time a new directory is created.
Comment #2
mhawker CreditAttribution: mhawker commentedsubscribed
Comment #3
Daniel Wentsch CreditAttribution: Daniel Wentsch commentedSubscribing
Comment #4
alex.pilon CreditAttribution: alex.pilon commentedThe best solution to this is to put the private files directory outside of the web root.
Not doing this is like a bank keeping its money behind the desk. "You can't see it, but its here." Where as in the vault its like whether or not you know its there, you can't access it.
So if you can, have /home/mysite/web and /home/mysite/files, and point apache to the first directory and tell drupal to private download from the second one.
You could also do like this: http://httpd.apache.org/docs/2.2/mod/core.html#directory (the last example of the section)
This could go in the main htaccess file and should restrict direct access to anything in this directory. (this snippet probably needs adjustment).
Deny from All
Comment #5
asb CreditAttribution: asb commented@alex.pilon: I think you are missing the point of the 'Private Download' module. From the project page:
For sure there are safe(r) ways to handle files, and for sure there are safe(r) systems than Drupal to deal with money-like files. The 'Private Download' is for use cases where the given things are a) Drupal, and b) public files configuration.
Comment #6
msathesh CreditAttribution: msathesh commentedIs there any update on this? I'm in a similar situation to protect sub-directories within private folder.. any alternate solutions?
Comment #7
anrikun CreditAttribution: anrikun commented@all: what you experience is not normal.
all my private files are always stored in sub-directories of private dir, and still it works as expected without any change.
No extra .htaccess should be necessary.
Isn't there any .htaccess in a parent directory that breaks something?
A real example:
Try to download http://www.lelieududesign.com/sites/default/files/private/veille/veille-...
You will notice that the file is in sub-directory
private/veille
and I guaranty that there is no extra .htaccess inside this sub-directory.Still you should no be allowed to download the file.
Comment #8
asb CreditAttribution: asb commented@anrikun: You're probably running non-standard settings in your Apache configuration, or you have modified the site-wide
.htaccess
file somehow.Yan you give us your configs for comparison, e.g.:
Comment #9
anrikun CreditAttribution: anrikun commentedMy config looks the same:
All .htaccess files are Drupal default ones.
Especially the one inside
/sites/default/files
:Comment #10
johnhanley CreditAttribution: johnhanley commentedClosing due to Drupal 6 end-of-life cycle.