Hi,
I've set-up my Drupal installation to:
- default download method: private local files
- the private folder (was nicely created by drupal on the file-system) with the appropiate .htaccess in it with the following content
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLinks- then I've uploaded the file x.mp3 via ftp in the private folder. I've tried to access directly the file via : exemple.com/sites/default/files/private/x.mp3 access was denied
- then I set-up a field type file, widget audioupload,upload destination:private files, and field display soundmanager Inline player.
- I uploaded a file y.mp3 via the new created field
- when I view the page I can play the file, which is all fine
- but when I access the file directly fia exemple.com/system/files/y.mp3?uuid=.... I can access it.
I thought that the direct access to the private files was supposed to be blocked. What am I doing wrong?
Many thanks
I thought that
Comments
Check if the web server looks
Check if the web server looks up for .htaccess in first place.
Put some random stuff in that folder's htaccess. If you get a 500 error code, it means apache has followed this file.
What's new and changing in PHP 8.4
Ok
Ok
I'll do that. I'm sure that it follows the main .htacces in the upper folders since I wrote there many redirects...
Thanks
Permissions denied
I had to change the permissions on the .htacces and then I've changed it but there is no error.
I now wonder though if that's not normal, since the actual folder is sites/default/all/files/private whereas drupal generates the automatic link to the file loaded in the private folder to /system/files/
Thanks
I did more testing
So when I've put some random text in the .htaccess and accessed the files via
exemple.com/sites/default/files/private/x.mp3
exemple.com/sites/default/files/private/y.mp3
both of them were available
when I changed back the .htaccess to what the initial form and I tried again to access
exemple.com/sites/default/files/private/x.mp3
exemple.com/sites/default/files/private/y.mp3
I got for both files error 403 forbidden
Access to this resource on the server is denied!
Powered By LiteSpeed Web Server
LiteSpeed Technologies is not responsible for administration and contents of this web site!
What do you think?
A 403 response is the desired
A 403 response is the desired response.
Private files have the accessible URL from system/files because these files need to be transfered via Drupal. But the direct access should not be allowed.
However, I'd rather place my private files folder somewhere above the doc root.
For example, if your index.php is in /var/www/index.php, place the private files in var/www-private so these files are not accessible no matter an .htaccess is there or not.
What's new and changing in PHP 8.4
Hi Ayesh, I'll do that. What
Hi Ayesh,
I'll do that. What worries me most is that .htaccess does it's job of preventing direct access, even if it's in /site/default/files/private, but drupal allows it... via the /system/files
I'll give it a try though and come back to you
_
By default, drupal access to private files is based on the node to which they are attached. So any system/files path will use node access to determine if the files are accessible.
Edit:
For more info see https://drupal.org/documentation/modules/file#content-accessing-private-....
Thank you WorldFallz, You are
Thank you WorldFallz,
You are right, it works the way you describe it.
Which means that there is no bug, it's just that as long as the nodes are published the files will be as well, even via the direct link /system/files
I'm using some mp3 files directly in a player, and my end goal was to prevent people from downloading the files, but allow them to play them within the browser.
I thought that the private filesystem would help me, but I understand that it cannot really help me...
In any case I would like to thank you all for your support, it's amazing how fast one can learn and get to the bottom of issues.
_
not possible... and is not drupal specific, that's just the way it works. If a browser can see/display/play then the user has access.