Anonymous users can access files uploaded to my webfm directory, which I do not want.
My file system is set to private. anonyous users have no access to any webfm permissions.
I put this .htaccess file on my root webfm directory (from http://drupal.org/node/372322):
order allow,deny
deny from all
Anonymous users get "forbidden" message when they try to go to:
files/webfm/thefile.txt
However, they have no restriction when they go to:
system/files/webfm/thefile.txt
I don't have any of the "Default File Permission" blocks checked in Webfm settings, which I assume means no one can access the file except owner or administrator.
Please tell me what I've missed here in order to not allow anyone to access files uploaded to webfm directory unless those files are attached to some node?
Comments
Comment #1
SomebodySysop CreditAttribution: SomebodySysop commentedI came up with a solution based this post: http://drupal.org/node/442142
I'm marking this as fixed because I've added this code to my own custom module and it works; however, I do believe something like this should be added to webfm manager to make it more secure. Even if I had taken the webfm directory out of the web root directory tree, the Drupal "system" would still have given access to these files as they aren't in the files table.
What I really wanted to do was not allow anyone direct url (i.e., "files/webfm/file" or "system/files/webfm/file") access to a file unless it was attached to a node and therefore had some permissions associated with it. Using .htaccess (as suggested here: http://drupal.org/node/372322) resolved the first access problem: "files/webfm/file". The second problem was that my site uses the "private" file download method, and therefore all webfm files are available to anonymous users via the "system/files/webfm/file" url because the system doesn't recognize these files (because they aren't in the files table).
I fixed this by using hook_file_download to create a file access rule for webfm files: "If the file is in the webfm directory tree and is NOT attached to a node, then you can't access it via "system/files/webfm" method." This stops anonymous access dead in it's tracks.
Comment #3
TommyK CreditAttribution: TommyK commentedI've found that this problem isn't restricted to just the private file system. I set a test site to public and tried accessing files in a directory protected by the .htaccess file via the /system/files/ URL and I was able to access it anonymously.
Will your above code work for a site set to Public File System?
I'm relatively new to Drupal, so forgive me for the extra help I may need, but is the process to place the above code into a new module and then enable it?
Thanks,
Tommy
Comment #4
SomebodySysop CreditAttribution: SomebodySysop commentedIt should. However, in a public file system, by defination, files in the files directory can be accessed via http:// by anonymous users UNLESS they are otherwise restricted. That's why I went to a "private" file system.
Yes. I created a custom module for my site called scbbs.module. I place the hook function described in #1 into that module.
Comment #5
andrew_rs CreditAttribution: andrew_rs commentedThanks for writing this. I also ran into a similar issue. I've set the file system to private and have the files directory outside of the web root, and yet webfm files could be seen via the "system/files/webfm" method. I was thinking that I'd have to create a custom solution myself, but you've just saved me some time.
It pays to search the issues log before opening the text editor.
Comment #6
lilon CreditAttribution: lilon commentedsubscribing
Comment #7
rahulbshinde89 CreditAttribution: rahulbshinde89 commentedI had created private folder in Media >> File System >>Private file system path ( sites/all/themes/analytic/imp ) in that imp folder i want keep some important document for authenticated user and restricting to anonymous user will anybody suggest me to re-edit in the .htaccess file in imp//htaccess
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLinks
which restrict the all the anonymous user, authenticated user and administrator.
showing following error
Forbidden
You don't have permission to access /drupal-7.14/sites/all/themes/analytic/imp/sample.pdf on this server.
Please suggest ASAP..... Thanks
Comment #8
apadernoI am removing issue tags used from one to four issues. I apologize for bumping the issue.
I am also closing this issue, since Drupal 6 isn't supported anymore.
Comment #9
apaderno(Yes, I forgot to change the status.)