Hi,

I'm using FileField for mp3 files, which are intended for access by 'subscribed' users (they have a role). I have setup the file field permissions appropriately, and in my views templates, prevent the display of the mp3 file links unless the user has the correct role. However, I can copy the file's URL and in another browser, as an anonymous user, access the file directly.

I have setup Drupal's file system for public downloads, as I also have some non-protected files for general user use.

How can I successfully prevent direct links to the files?

I've looked at the dicussions at http://www.drupalcoder.com/story/406-mixing-private-and-public-downloads... and http://drupal.org/node/189239, but these seem to relate more to the standard file uploads rather than filefields and CCK.

Any clues would be most welcome.

Comments

quicksketch’s picture

The "Private" file system set at admin/settings/file-system will protect all files on your site, including those uploaded by FileField. However the private file system has gargantuan performance problems and I'd discourage you from using it at all costs, unless you're using a system to speed them up such as http://drupal.org/project/xsend. However private files still prevents you from using the CSS aggregator, which is pretty crippling even if you speed up the actual transfers through something like xsend.

Note that you cannot switch the storage mechanism from public to private without manually updating your database and moving files around. Just changing the setting does nothing to your existing files, it will only affect new files that uploaded after the setting has been changed.

px’s picture

I think, I have a workaround for this problem. It's a "wrapper" around file field and involves some apache url rewriting. Not too pretty, but way better than having a completely private filesystem. I currently keep that add-on module in my blog:

http://www.onyxbits.de/content/drupal-and-problem-protecting-uploaded-files

For details on install and setup, see included README.txt

metastate’s picture

Easy fix described in this handbook page: Restrict specific folders from public download (via .htaccess)

Allows you to use a public file system on your site but run a check on access permissions for files in a specific folder. I've got this working with FileField 6.x-3.2 to restrict file downloads via URL by anonymous users.

sgriffin’s picture

This version of Filefield / imagefield does NOT respect the private file system setting and any related anonymous permission setting.

Geijutsuka’s picture

Isn't there some solution to mixing private and public files, similar to how Upload and the module Private Upload work? FileField is a hundred—nay, a thousand!—times better than Upload, and I've had problems with the Private Upload module... but I like the idea of having a convenient way to assign specific files within a node to be private without having to maintain .htaccess files everywhere or *shudder* messing with the private files feature in Drupal. Is there no module that plays nice with FileField to make this happen?

sgriffin’s picture

There's content permissions with the content module, but not a per file permission as far as I know.
For my scenario, the only method of anonymous access for imagecache to a private imagefield requires a double layer of .htaccess files.
One closed .htaccess in the files directory and others undoing your work in the imagecache and related "image" thumbnail directories.

quicksketch’s picture

Isn't there some solution to mixing private and public files, similar to how Upload and the module Private Upload work?

Unfortunately Drupal's file system handling is all-or-nothing private or public. However I think the approach recommended by metastate in #3 is probably the best way to go, where you use public files and then manually redirect certain directories through the private file system handling. In Drupal 7, this has been fixed with the new FileAPI, and the Drupal 7 FileField (now included in core, Upload module is dead) let's you choose per-field which ones you want to be public or private.

izmeez’s picture

subscribing

quicksketch’s picture

Status: Active » Closed (fixed)
mmiguel2014’s picture

Issue summary: View changes

Renaming the URLs of files which have been moved to priv folder

So the problem is that we are able to move all the files to the private folder but all the previous nodes still contain the old URLs of those files.

Is there a method/module which can enable us to change those URLs?

Thx for any response.

sgriffin’s picture

Try a mysql search and replace

UPDATE `mydb`.`files` SET `filepath` = replace (filepath, 'private/files/dir', 'public_html/files/dir') where 1;

mmiguel2014’s picture

Thx for the tip sgriffin but at the end I tried the File Field Paths module:
https://www.drupal.org/project/filefield_paths
and it did the whole work of moving the files from the public folder to the private one.
It also renamed/redirected my old URLs to the new ones.
Cheers,
Michael