My default download method is public and I disabled serving of private files by IMCE because I don't want ALL my private files (including my database backups) to be publicly accessible... + I read it is bad practice.

My private folder is located under sites/default/files/private and my public one sites/default/files
This means that I can actually add files inside my private directory using IMCE.
However, these files are indeed completely private by default, so unless I do something about it no one even user1 can access them. For example, if I try to add an image inside the body field, no one will see it.
Well that's exactly what I want. The modules File Entity and File Entity Permissions let me assign some role-based access permission for each individual file added to the system.
Unfortunately for it to work, I must access the file using the url "system/files/myfile.pmg" not "sites/default/files/private/myfile.png"
The problem is that with my current config of IMCE, when I try to add a file inside my private directory, IMCE will use the url "sites/default/files/private/..." not "system/files/..."
I could change it manually but I cannot ask my clients to.

So my question is : is there a way to tell IMCE to use the "system/files" url for files located inside a given folder?
Or maybe a "Private File Explorer"? That would open the private structure and automatically add the url "system/files".
Or maybe I should put a rewrite rule inside the .htaccess of my private folder that would redirect every "sites/default/files/private/myfile.png" requests to "system/files/myfile.png"

Another solution I consider would be to change my default download method to private and actually enable serving of private files by IMCE. But first you would have to convince me that this is not dangerous.
I understand that I could save my database backups outside my root installation so that IMCE does not make my backups publicly available.
But what about Drupal private fields? Right now if I create a Drupal file field that is configured as private, only roles that have access to the field will have access to the file via its url. Will that be broken if I enable serving of private files with IMCE?

Thank you in advance,



nhart’s picture

I have this exact same use case. I was wondering if I had the wrong approach, but after reading your notes, I see I'm not alone.

Looking forward to see what comes of this.


audriusb’s picture

everything what relates to ckeditor are not my favorite things...

on topic:

in imce.js, around line 658 is a function called "getURL". I changed it as follows:

getURL: function (fid) {
  if (imce.conf.dir.match(/^private\//)) {
    var new_link = imce.conf.dir.substring(8, imce.conf.dir.length);
    return '/system/files/' + new_link + '/' + fid;
  var path = (imce.conf.dir == '.' ? '' : imce.conf.dir +'/') + fid;
  return imce.conf.furl + (imce.conf.modfix ? path.replace(/%(23|26)/g, '%25$1') : path);

what it does is if the selected file is in the folder called private, which is the default private files folder I believe, then it returns /system/files/
link. All public files url are untouched.

audriusb’s picture

Also don't forget to clear the cache to see the difference.