Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By charlied on
We have built a Javascript graphics client which is loaded on a specific Drupal page (using drupal_add_js). It displays a result depending on the set of json files it loads. Only certain users can access this page/client. We need help understanding how we securely serve sets of these json files so the javascript client can access them.
The page callback reads the url parameters which specify a Drupal node which contains the json file directory in the private_files system. This set of file details are passed to the javascript embedded in the page and this javascript then tries to load these json files.
We have 1000s of Drupal nodes, each with sets of json files. The files are confidential and are currently stored in a directory tree in private_files. So the client javascript needs to request urls which somehow gives access to those files if the user is allowed. It cant call the private file system directly.
How do we configure Drupal / extend our module to serve these files to the client upon request whilst ensuring they are validated for the client user (ie the user viewing the page that contains the client) ? Each json file needs to be served with a unique url but they must not be visible to non authenticated users.
Is the best solution creating a new page callback function that just returns different file contents from private_files (according to the page parameters), after it has checked the user has correct permissions ? As the json files are "managed" we could attach them to a drupal node - if that helped.
Comments
To clarify the question:
To clarify the question:
- json files are stored in the private folder, and this folder is out of the web root (i.e not directly accessible, even if the .htaccess fails to protect them).
- Your javascript requests these files from client site, and you need to allow access if the user matches certain criteria.
I can think of two possible cases:
- Implement hook_file_download(), and check the access and grant/deny the call.
This is how most of the private file downloads are handled, but it's a bit "dirty" approach since you need to actually store the file with same name.
- hook_menu() implementation + page callback checks access and passes the file content.
This would be the cleanest solution. See the hook_menu API doc for parameters. You will probably need to use "delivery callback" as well, to return JSON data if the user has no access to the file (it would be HTML access denied page otherwise). I have done this quite a lot of time. Post any questions if you have. I or other awesome people here will reply with precise information :)
What's new and changing in PHP 8
Thanks
Many thanks for the quick reply - that was very useful, I now understand what to do !
This is what I did
Here is what I did
This enables the content access module settings for the "graphics" content type to control the access to all the files associated with a graphics page.
In addition hook_file_download can be used for more specific additional permission checks over and above these if needed.