By datamodel on

why do image links point to /system/files when my file path is set to files ?

This occurs with download method set to "private" resulting in broken images.

when this is set to "public" , the link's path is mysite/files/....

So every time I set dwnld method to "private" i have to move my files folder to a "system" folder ? or what am i missing ?

Categories: Drupal 4.7.x

Comments

anner’s picture

anner commented

Switching between public and private download is a bad idea. You'll want to pick whichever one is appropriate for your site. This is because the files are stored in a publicly accessible location if you use public, and are stored in a private, non web accessible location if set to private. Even if you move the files, there is no guarantee it will work.

dldege’s picture

dldege commented

system/files is a menu path that goes to a PHP handler for locating and transfering private files so that the real path on the server is never visible to site users. Its still up to you to make sure the private location is not accessible from your server if the real path was ever determined (with .htaccess or other method).

dLd

datamodel’s picture

datamodel commented

So why do image links become broken ?
And how do I get around that?
The situation is now that I WANT to keep the setting to private. But doing so, disappears the images.
So how can I achieve this? keep 'em private && still have them correctly linked and displayed?

It's a such a simple thing - that it's unbelievable with the complexity and flexibility and simplicity of the drupal system - it must boil down "there's no guarantee it's gonna work". Well it is not working. And i'd like to fix it.
What should i do ?

anner’s picture

anner commented

When I made this change, I deleted and re-uploaded all my files. It was easier. You should be able to move the files into the specified private location and have it work, but I'm not sure on that one.

Lenny1942’s picture

Lenny1942 commented

you put the settings to private,

but don't forget to allow anonymous visitors and registered visitors to view uploaded files.

then the pics should show.
use full html to post em and img src tags

datamodel’s picture

datamodel commented

in the Administer > Access Control settings.

anner’s picture

anner commented

This may be a stupid question, but did you move the files from the files/ dir to the private directory you specified in the settings section?

datamodel’s picture

datamodel commented

hoping to solve this issue without having to move the files from the "files/" directory. The private files path is the default "files/" and I wanted to keep it this way.

anner’s picture

anner commented

When you set the setting to private, you have to give the full path for the folder, you can't just say files/ it would have to be something like /var/www/html/files/
Try specifying your full path and see if that helps.

datamodel’s picture

datamodel commented

Should the path include a trailing slash ?

Also in windows, do I use forward or backward slashes ?
Thanks.

anner’s picture

anner commented

Don't need the training slash.

No idea, I don't use windows.

bmargulies’s picture

bmargulies commented

I'd like some uploaded files to have different access properties than others.

cwalkabout’s picture

cwalkabout commented

anner & datamodel, if you're still reading this thread, for truly private files you should use a directory that is not in your web tree, i.e. not /var/www/html/files/ but something like /var/files or /var/www/files instead. Otherwise someone can just link directly to something you uploaded (e.g. http://yoursite/files/blah.jpg) regardless of their Drupal permissions. Note you still create links to files that are outside of the web tree like this: <img src="/system/files/blah.jpg">

datamodel, on my Windows test box I used backslashes for the File System Path, and it worked fine.

bmargulies, in another thread (http://drupal.org/node/102584), CogRusty says:

For more advanced control, you can enable "view uploaded files" for everyone and then use an access control module such as taxonomy_access for more fine grained access per user role: Any user roles you have specified won't be able to view a private file if they are not allowed to view the node where it was uploaded (the 'system/files/filename' link will give them a "page not found").

I haven't tried that yet myself, though.

anner’s picture

anner commented

Yes, I have my files outside a web browsable directory. That was not the issue here. But you may want to note that this is not necessary. You can also use an htaccess file to protect those files from being pulled up by anyone but the drupal program.

register’s picture

register commented

I'm curious what you would add to the.htaccess file to do this? I came across this thread while looking for an answer to a problem I was having with the video module (information found here fixed it, btw) and now I'm trying to figure out the best method for my setup.

anner’s picture

anner commented

your .htaccess should look like this:

ORDER DENY,ALLOW
DENY FROM ALL
ALLOW FROM XXX.XX.XX.XXX

where XXX.XX.XX.XXX is your web server's IP. This is fully protective if you have your own IP.

wmad’s picture

wmad commented

I faced the same issue, and I needed the download method to be private. I am using imagecache and some nodes/images are meant to be accessed publicly. What's missing was giving anonymous user access to such imagecache types...

slotid’s picture

slotid commented

why do image links point to /system/files/... ?

modules/system/system.module hook_menu -> includes/file.inc:function file_download()

Use 

hook_file_download

to control it.