By nanthony on

I know there is ALOT of information concerning this so please forgive me if I am asking a old question but I have not found documentation that has resolved what I am trying to do.

I had a request to create a page that required a generic username & password to access. I created a user role and added a user with this role then created a template for the page where I check that the user is logged in with that role in order to view the page content or they see the login block and must login. An administrator can access the page as well. This all works fine.

On this page are links to files contained within a sub-directory (files/classfiles) under the public files directory (files). If a user is logged in with this role, they (or an administrator) should be able to download the files from the page. If, however, someone were to copy a link to a file and send it to someone else, this non-logged in user should be prompted to enter the same username & password required to login to the page.

I added an .htaccess file to the file folder and a .htpasswd with the encrypted username & password for the user account but it prompts for a username & password everytime you click a link to a file even if you are already logged in to the page.

Is there a way to use the .htaccess file to check if current user is logged in as an administrator or the generic user and if they are not prompt them to enter the appropriate username & password?

Categories: Drupal 7.x

Comments

jaypan’s picture

jaypan
Location Victoria, BC
commented

Drupal's private file system is built for this exact scenario.

Contact me to contract me for D7 -> D10/11 migrations.

nanthony’s picture

nanthony commented

I read about that but I did come across those that recommended against using private files. I created a node type for the files being used in this password protected area and I can re-do it and set it as private. Do I then still need the .htaccess file to allow access for the two roles or do I need to use something like the content access module and set view permissions for just the two roles. I actually tested making the content type private and installed the content access module but I never got it to work. I need anyone attempting to download the files that are not one of the two roles to have to login to get them. Does this still need to be done by special formatting in a .htaccess file located within the file directory? This is where I get stuck.

What I had in place was the file folder (directory) was public with the .htaccess file inside the folder but it was prompting for a username & password even if you had logged into the page correctly.

jaypan’s picture

jaypan
Location Victoria, BC
commented

Who was advising against the private file system? That makes no sense.

Contact me to contract me for D7 -> D10/11 migrations.

nanthony’s picture

nanthony commented

I saw comments about possible performance issues and suggestions to locate with files in a folder within the public area and insert the .htaccess file in that folder to control access.

I am open to either. I am just struggling with getting it to work the way I need it to. If you are logged in and are assigned a particular role, you can access the files...if you attempt to click a link to one of the files in this folder and you are not logged in with the proper role, you are routed to login block or window appears for you to enter the proper username & password. Despite all I have read, I have not been able to get this to work how I need it to.

john_b’s picture

john_b commented

Jaypan is right. Performance issues with private file system are not significant.

...if you attempt to click a link to one of the files in this folder and you are not logged in with the proper role, you are routed to login block or window appears for you to enter the proper username & password.

What is wrong with that? If someone is logged in with the right role, they can access the private file. Otherwise not.

http basic authentication is the wrong approach, and the fact it keeps asking for the password is not a Drupal issue. When using http auth bear in mind that the password is sent every request. You do not usually see this because after the first request, the browser stores your password and resends it it silently. If you wish to use http auth (contrary to good practice, which calls for using the private files system), and you are repetaedly asked for password, the first thing to check is whether this applies to only one browser. On the server also check whether you are password-restricting a file with or without trailing slash / and try both ways as a redirect from one to the other can cause this behaviour.

Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors

nanthony’s picture

nanthony commented

Got things to work as needed using private file. I have been trying to add a 403 redirect for anyone attempting to use URL to one of the private files. Instead of the Access Denied message displaying, which is the default for the site, I want to redirect to a login page to access the page where these files would be available. I have tried adding ErrorDocument 403 /(path to login) but it does not work. It continues to use the site 403 default. Any advice on how I can get this to work? I added the ErrorDocument code to the .htaccess file in the private file directory that was created by Drupal. Getting this to work would have things working as I need.

nanthony’s picture

nanthony commented

I tried multiple entries into .htaccess file inside the private file folder to redirect user instead of displaying just the default Access Denied 403 page like ErrorDocument but it did not recognize anything I tried inside of the .htaccess file. What I did instead (and it may not be the best way to do it) was place the following in my template.php file inside the preprocess_page(&$vars) function:

$header = drupal_get_http_header("status");
	if ($header == "403 Forbidden") {     
		$vars['theme_hook_suggestions'][] = 'page__403';
	}

This allowed me to create page--403.tpl.php which allows the 403 message to load within my theme template but I also added argument checks for my private file path "system/files/class" (if arg(0) == 'system"....etc)
If these values are found, I do a header("Location:/loginpage"); and redirect the user to the login page that they must first access before getting to the files within the private folder. May not be the best way and I would still LOVE to know how to do it through the .htaccess file in the private folder...or what the heck I am not doing correctly to make it work...but for now, it gets me what I need.

oj.johnson’s picture

oj.johnson commented

Could you post what you added to the .htacess file to help others?

nanthony’s picture

nanthony commented

Did not end up using .htaccess for this.  Added the code mentioned (above) to my template.php so that is visitor gets routed for a 403 error, they are routed to my page--403 custom template.  There I inserted some code to check the argument variables from the URL and if certain arguments exists, I route them to a login page.  If none of the conditions I check for exist, it displays (by default) some text indicating that the visitor attempted to access a page that is not available.

Again, it may not be the best way to do this but it worked for me when I had issues trying to do it via the .htacess file.