This project is not covered by Drupal’s security advisory policy.


The user files module allows your users to upload files to the site without creating nodes.
Files uploaded are associated with the uploading user and private, even whilst the site is in public file mode.
The files themself reside in a folder that is not publicly readable (via .htaccess directives) whilst the module permits the owning user to view/download the files by rerouting urls via the private path (system/files) and then performing the appropriate permissions checks.


  • Thumbnailing for image files
  • Imagecache integration (see known issues below)
  • File extension limits
  • Total upload limit (size)
  • File upload limit (size)
  • Analysis of uploaded images to identify color-spectrum


The .htaccess directives only work with the Apache http server, ensuring the uploaded files are private on other servers is not supported (patches welcome).

  • Imagecache
  • Imageapi
  • The core upload module (to handle upload limits and permitted file extensions)

Known problems

The module prevents access to imagecache derivatives whilst the derivative has not been created. At present once the owning user has generated an imagecache derivative, these become hotlinkable as the path is no longer handled by Drupal, instead served directly by Apache. Site administrators can mitigate this problem whenever they create a new imagecache preset by copying the .htaccess file from the files/user_files folder into the matching user_files folder for that imagecache preset.
For example if you have an imagecache preset called 'mythumb', once you generate your first 'mythumb' derivative of a user_files managed image, you will see the following folder in your site's files directory:
You should copy the .htaccess file from files/user_files into that folder.
As imagecache presets are generally defined during site design, you should not need to do this again once your site is live.
Work has been done on automating this process but all methods to date have been rejected due to unnecessary load on the server. At present imagecache does not have a hook to notify other modules of the existence of new presets and therein lies the problem.


This module was developed by Lee Rowlands of Rowlands Group and sponsored by Website Express

Supporting organizations: 

Project Information