Anonymous users can access files uploaded to my webfm directory, which I do not want.

My file system is set to private. anonyous users have no access to any webfm permissions.

I put this .htaccess file on my root webfm directory (from http://drupal.org/node/372322):

order allow,deny
deny from all

Anonymous users get "forbidden" message when they try to go to:

files/webfm/thefile.txt

However, they have no restriction when they go to:

system/files/webfm/thefile.txt

I don't have any of the "Default File Permission" blocks checked in Webfm settings, which I assume means no one can access the file except owner or administrator.

Please tell me what I've missed here in order to not allow anyone to access files uploaded to webfm directory unless those files are attached to some node?

Comments

SomebodySysop’s picture

Status: Active » Fixed

I came up with a solution based this post: http://drupal.org/node/442142

I'm marking this as fixed because I've added this code to my own custom module and it works; however, I do believe something like this should be added to webfm manager to make it more secure. Even if I had taken the webfm directory out of the web root directory tree, the Drupal "system" would still have given access to these files as they aren't in the files table.

What I really wanted to do was not allow anyone direct url (i.e., "files/webfm/file" or "system/files/webfm/file") access to a file unless it was attached to a node and therefore had some permissions associated with it. Using .htaccess (as suggested here: http://drupal.org/node/372322) resolved the first access problem: "files/webfm/file". The second problem was that my site uses the "private" file download method, and therefore all webfm files are available to anonymous users via the "system/files/webfm/file" url because the system doesn't recognize these files (because they aren't in the files table).

I fixed this by using hook_file_download to create a file access rule for webfm files: "If the file is in the webfm directory tree and is NOT attached to a node, then you can't access it via "system/files/webfm" method." This stops anonymous access dead in it's tracks.

/**
* Implementation of hook_file_download()
*/
function scbbs_file_download($file) {

  // Get true path
  $file = file_create_path($file);

  // Next, check webfm files
  // They need to either be attached to a node OR a filenode

//  $webfm = 'files/webfm';
  $webfm = variable_get('webfm_root_dir', '');

  if (strstr($file, $webfm)) {

    // Check if file is attached to a node
    $result = db_query("SELECT a.nid, f.* FROM {webfm_attach} a LEFT JOIN {webfm_file} f ON a.fid = f.fid WHERE f.fpath = '%s'", $file);
    if ($file = db_fetch_object($result)) {
      // Check node access
      if (!(db_result(db_query(db_rewrite_sql("SELECT n.nid FROM {node} n WHERE n.nid = %d"), $file->nid)))) {
        return -1;
      }
    } else {
      // File is not attached, we don't have permissions (CHANGER ET VERIFIER AVEC LE BROWSER)
      return -1;
    }
  
  }
}

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

TommyK’s picture

I've found that this problem isn't restricted to just the private file system. I set a test site to public and tried accessing files in a directory protected by the .htaccess file via the /system/files/ URL and I was able to access it anonymously.

Will your above code work for a site set to Public File System?

I'm relatively new to Drupal, so forgive me for the extra help I may need, but is the process to place the above code into a new module and then enable it?

Thanks,
Tommy

SomebodySysop’s picture

Will your above code work for a site set to Public File System?

It should. However, in a public file system, by defination, files in the files directory can be accessed via http:// by anonymous users UNLESS they are otherwise restricted. That's why I went to a "private" file system.

I'm relatively new to Drupal, so forgive me for the extra help I may need, but is the process to place the above code into a new module and then enable it?

Yes. I created a custom module for my site called scbbs.module. I place the hook function described in #1 into that module.

andrew_rs’s picture

Thanks for writing this. I also ran into a similar issue. I've set the file system to private and have the files directory outside of the web root, and yet webfm files could be seen via the "system/files/webfm" method. I was thinking that I'd have to create a custom solution myself, but you've just saved me some time.

It pays to search the issues log before opening the text editor.

lilon’s picture

subscribing

rahulbshinde89’s picture

Title: Using .htaccess to restrict access on private site » Using .htaccess to restrict access on private folder please guide
Version: 6.x-2.10-rc4 » 6.x-2.x-dev
Component: Code » Documentation
Assigned: Unassigned » rahulbshinde89
Priority: Normal » Critical
Status: Closed (fixed) » Active
Issue tags: +Using .htaccess to restrict access on private folder please guide, +Using .htaccess to restrict access, +.htaccess to restrict on private folder

I had created private folder in Media >> File System >>Private file system path ( sites/all/themes/analytic/imp ) in that imp folder i want keep some important document for authenticated user and restricting to anonymous user will anybody suggest me to re-edit in the .htaccess file in imp//htaccess

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLinks

which restrict the all the anonymous user, authenticated user and administrator.

showing following error

Forbidden

You don't have permission to access /drupal-7.14/sites/all/themes/analytic/imp/sample.pdf on this server.

Please suggest ASAP..... Thanks

apaderno’s picture

Assigned: rahulbshinde89 » Unassigned
Issue summary: View changes
Issue tags: -Using .htaccess to restrict access on private folder please guide, -Using .htaccess to restrict access, -.htaccess to restrict on private folder

I am removing issue tags used from one to four issues. I apologize for bumping the issue.
I am also closing this issue, since Drupal 6 isn't supported anymore.

apaderno’s picture

Status: Active » Closed (outdated)

(Yes, I forgot to change the status.)