Hi all,

I am using the organic groups module on two of my Drupal websites. It was my intention to define a 'group' in order to create a password protected online space for members of this specific group, where they can share information. Other pages (about, news, publications) should still be accessible publicly.

After installation I noticed that only the NODES that are assigned to a certain group (not public) are password protected. Their ATTACHMENTS are not. If I am not logged in, I can still access the PDFs or other files that were attached to the hidden nodes. So if I know the address of the file, I can acccess it. Is there anything I can do about this?

Till then:

I understood that as long as there are no links on one of the public nodes to the protected PDFs, they will not be indexed by Google. Is this right?

I am using Google as a search function because the Drupal search didn't index attachments. The other day I read there is a module that indexes attachments. I would love to have that module installed as well, but at this moment I am happy I didn't. If I would have, the Drupal search would have indexed also the files that I am trying to hide!

So here I am, hoping that no one will figure out the name of my attached files, that no one will accidently link to them so that they are indexed, or that someone does anything else that makes these not so well hidden files public. If there are any solutions or tips, please share them with me.

Thank your very much!

Dorine Ruter
http://www.ruter.nl/blog

* PS I know this question has been asked before, but I can't find those posts and I don't recall there was a specific answer to them that helped me. Please let me know where to look for a solution, tip or useful comment. Thanks!

Comments

Brian@brianpuccio.net’s picture

Are you using private downloads?

Dorine’s picture

Thanks Brian. Such a short reply to such a long question... And no, I didn't set the download method to private. (Had never noticed it). Would that do the trick? Here it says:

We recommend setting the "Download method" to "Private" since this still allows you to let all users download any file until you instruct Drupal otherwise.

Some dummy questions, just to make sure I understand:

  • Does it mean that Google can't index the file if it is attached to a non-public node? So I can use this Drupal feature that indexes uploaded files? Can someone tell me where to find it?
  • And... users can't type the exact file address?
  • www.ruaf.org has hundreds of nodes. If I set the download method to private once and leave it there, will that affect the current attched files (mainly attachments to public nodes)?

Thanks for any help here.

Dorine Ruter
http://www.ruter.nl/blog

Dorine’s picture

Ok, so I tested this private download on a new website and it seems to work great. Thanks!

For www.ruaf.org it will be some work. The address of the attached files changes from e.g. "files/test.doc" to "system/files?file=test.doc". For some nodes we made manual links to attachments. We'll have to change these manually...

Dorine Ruter
http://www.ruter.nl/blog

Brian@brianpuccio.net’s picture

Sorry for such a short answer before. Id' rather not write a novel if I could, I usually stop by the support forums before heading to work.

In any event, if you use the public method of handling downloads, the download pretty much skips Drupal, hence the shorter URI that leads directly to the file. When you use private downloads, the download is sort of "piped through" Drupal, which means things like access control, etc, all apply. That is why I suggested you look at it. I personally have never used the organic groups module, so my guess was a shot in the dark given what I know about how Drupal handles files in general.

With respect to google seeing attachments, etc, just log out of your site and surf it as an anonymous user. Whatever you can get to as an anonymous user, Google will as well.

Hope this all helps.

Dorine’s picture

Hi Brian, the short answer was perfect, because it helped me solve the whole problem! Plus, thanks for the explanation of how the download method works.

About indexing the uploaded files, Google doesn't seem to do that. There is an indexing module available that indexes all uploaded attachments, such as PDF and Word documents. I'll see if this can be installed on my site as well sometime.

In a comment on my weblog, someone wrote there is an upload_indexer.module. Though it is mentioned in some tech posts (via Google), I haven't been able to find much about this module on this Drupal website. If anyone has some more information about this for me, that would be great!

Dorine Ruter
http://www.ruter.nl/blog

Brian@brianpuccio.net’s picture

The indexing module indexes things for your site's built in search. Why Drupal wouldn't index a word document attachment or a PDF attachment, I would not know. I do know Google has the capability to spider these types of files as I do run across them while Googling (Google even offers the option to "View as HTML").

You also might want to look into gsitemap.module.

Also, here is upload_indexer.module.

Dorine’s picture

Hi,

Yesterday my colleague set the download settings of the RUAF website (www.ruaf.org) to private. Just this morning we discovered that files can still be accessed by anyone, using the direct link (www.ruaf.org/files/name.pdf). This happens even with attachments to nodes in a password protected Organic Group, whereas unauthorized users should have been blocked.

So actually it seems this solution still doesn't work after all when someone has the address of the attached file... I just only checked the attachment link when I tested all this and that worked perfect. However I never looked at the direct link.

Is there anyone here that uses some kind of shielded sections in Drupal (via organic groups)? Could you please let me know how you have dealt with the access protection of attachments?

Thanks in advance.

Dorine Ruter
http://www.ruter.nl/blog

Brian@brianpuccio.net’s picture

On my site, I use the private method and while a URI like http://brianpuccio.net/system/files?file=images/usm_how_much.png works, the link http://brianpuccio.net/files/images/usm_how_much.png (where the file is actually on the file system) gives me a 403, as it should.

Have you read the handbook? Please ask smart questions and try not to be a help vampire.
If someone helps you out, give back by playing patch bingo or bug bingo.

Dorine’s picture

Thanks for the quick reply, Brian. What you wrote, I tried just this morning but I never got an error. I immediately got the file... Do you think there is a setting on my server somewhere that I should change?

(I don't even have a clue on where to begin to search for a solution, so all your help would be great.)

Dorine Ruter
http://www.ruter.nl/blog

mh’s picture

In case your still stuck check out drubeedo's response to http://drupal.org/node/62614.

Basically, make sure your files directory is not in public_html if you want to prevent direct linkage in private mode.

el777’s picture

Hi, Brian!

Really your files are public. For example, I have no account on your site but if I click on the first URL: http://brianpuccio.net/system/files?file=images/usm_how_much.png I can see an image well.