I've been browsing through the forum, see that there are quite some issues with private files (as mentionned on the project page as well), but I can't seem to find a solution to my issue which seems to be rather straight forward.

I've created a content type with a file field that uses the Media module. I have a private folder assigned in my file system, and the upload's destination is also set to "private files"

In order to keep things tidy I specified an upload directory as well, assuming it would respect the checked "private files" setting (making the specified folder a private folder - see attachment).

However when I upload a file I can just view it as an anonymous user, and so can Google. This is quite painful as it contains sensitive information.

When I empty the field of the specified folder, it would just upload the file straight under the files directory (not in the private files folder as specified in the file system-configuration), which is also public ofcourse.

Does anyone have an idea how to fix this please? Thought this one would be close, but I can't find a solution there either: #1580820: Provide interfaces for selecting stream wrappers during file upload and converting files between stream wrappers

The File Entity Private Upload module provides the checkbox as illustrated on its project page, but it has no effect on the issue.

CommentFileSizeAuthor
Schermafbeelding-2014-05-16-om-15.36.46.gif69.69 KBknalstaaf
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

knalstaaf’s picture

knalstaaf CreditAttribution: knalstaaf commented
Issue summary: View changes
steinmb’s picture

steinmb CreditAttribution: steinmb commented

Two things.
1. Make sure drupal was able to write a .htacess file to your private dir.
2. Private files is normally stored in a dir, outside drupal root, not inside as you have.

sheldonkreger’s picture

sheldonkreger CreditAttribution: sheldonkreger commented

Also be sure to configure your Drupal private directory either in admin/config/media/file-system or in settings.php

knalstaaf’s picture

knalstaaf CreditAttribution: knalstaaf commented

I've changed the private files folder to a location outside the root, but it doesn't really change anything. Also the .htaccess file is at its proper place at has all the necessary code.

I do notice the following after checking "Private files" below "Allowed URI schemes" in the settings of the upload field (although I learned that this may be now because of other reasons):

(both "pdf" and "private-pdf" are folders set by me through the settings of the upload field)

So the paths are different eventhough both files reside under the files folders, which is good.

Yet it's possible to access the private PDF-file with a direct link as an anonymous user.

I took a look at the user permissions and anonymous user are designated not to view private files, so I'm out of ideas. I'm not using another access-related module that could cause conflicts either.

Edit: the method advised in the article Restrict specific folders from public download (via .htaccess) is not working either. But I think the article is mainly targeted at D6, which didn't have the private file system as D7 has.

Can anyone help us out?

knalstaaf’s picture

knalstaaf CreditAttribution: knalstaaf commented
Category: Support request » Feature request

I've found a working solution to this issue with the Private files download permission module. Maybe it's not a bad idea to have a look at this with the maintainers of that module. I'm sure this can be sorted out :)

sheldonkreger’s picture

sheldonkreger CreditAttribution: sheldonkreger commented

(both "pdf" and "private-pdf" are folders set by me through the settings of the upload field)

I suspect this might be the root cause of your problem. I don't think File Entity has awareness of directory configuration on the field level. Does the private directory you specify on the field match that of the one you specify in the File Entity config (or settings.php) ?

knalstaaf’s picture

knalstaaf CreditAttribution: knalstaaf commented

No, it does not indeed. I thought it would be created in the private files folder (as specified in the "File system" config page) automatically. Instead it creates the private-pdf folder in the default/files-folder.

aleksijohansson’s picture

aleksijohansson CreditAttribution: aleksijohansson commented
Status: Active » Closed (fixed)

#7 doesn't seem to a valid issue any more in the current 2.x-dev version. The folder specified in the field settings is created inside the private file system folder.

knalstaaf’s picture

knalstaaf CreditAttribution: knalstaaf commented

Not sure if related: if the node in which the private field resides is not private (as configured with Content Acces for instance), the private files won't be either.