Securing Files in the Drupal Files Folder

Yes.

Is it possible to make Secure Site protect files in the Drupal folders? By this I don't just mean attachments to nodes, but also user avatars. Currently files like that are easily accessible to users without having to authenticate. Setting the file system to private doesn't seem to work.
I know it's not protected by default, I'm just asking how it could be done.
Thanks.

bump.

you can achieve it, please follow the steps:

i am protecting files within sites/default/files

Step 1. Add below code over folder in .htacces which you dont want to make accessible without authenication.

RewriteEngine on
RewriteBase /system/files/privatedownloads
RewriteRule ^(.*)$ $1 [L,R=301]

Step 2: create a module to add it

function your-module-name_file_download($file) {

$info = image_get_info(file_create_path($file));
return array('Content-type: '. file_get_mimetype($file));
}

step 3: Manage File setting -admin/settings/file-system
With in that page we have two type of download method as default.
a. Public
b. Private

Select private and save it

After that it work fine. you can restrict access of sites/default/files for not authenicated users

Perhaps this issue could be addressed in a patch, or perhaps the module name should be changed? After much searching I had my hopes up thinking this module would let me lock down my entire site, i.e. not just it's pages, but all it's associated files to authorized users. Respectfully, if in my site I have e.g. images or pdf files etc which have confidential information in them, and this information is accessible via direct url from anyone on the internet I don't know how one could call it a truly secure site.

I have tried using the Private Download feature to deal with this, but it forces you to upload through drupal to make drupal aware of those files, which is problematic for several reasons. I just want to FTP up all my files, and refer to them in the body of my pages, and be sure that only authenticated users can access those pages ~and~ any files I'm serving in them. Has anyone else figured out how to do this?

sijan’s suggestion would work. This is a feature I would like to see, so patches are welcome.

I'm still getting familiar with Drupal but I believe this module does something like what sijans suggested: http://drupal.org/project/private_download.

However I think this module only works for a single directory. It would be great to have something like this that works recursively thru all the subdirectories of a root private directory. So i.e. keep a Public file system for performance but route all confidential files through Drupal. This combination of Secure Site's http authentication for pages and Drupal's security for files could perhaps work together.

Just an idea, like I said I'm new to alot of this. But in any case thanks for replying to my question.

best
zeebo

I am still trying to secure my whole drupal site, including my simple static files folder (where I simply FTP up my files to). So e.g. I have the folder /mysite/myfiles/ ... and I want to stop unauthenticated people from getting direct access to it e.g. via http://mysite/myfiles/myfile.pdf.

I was hoping I could use Secure Site combined with a special .htaccess file just in this files folder to block out unauthenticated people. I put something like this in the .htaccess file:

AuthType Basic
AuthName "My Files"
AuthUserFile /path/to/htpasswd/file
Require valid-user

In my htpasswd file I have added users which mirror the drupal users. This seems to work, in that once you log into drupal via Secure Site's http login, you can retrieve the file with http://mysite/myfiles/myfile.pdf, but if you're not logged in you can't. I have tested this in Firefox, IE, Safari & Chrome, and it seems to work. However for some reason Opera (v11.11) does not seem to recognize you are already logged in and will put up the http authentication window when trying to retrieve the file.

Is there any way to fix this for Opera. I'm so close to getting this to finally work. Or maybe I'm still on the wrong track? thanks for any help.