Login/Register
Drupal 7: how to restrict file access to specific user roles
Asked Answered
Solved securityfiledrupaldrupal-7cck
S

1

6

I need to develop a site on Drupal 7. I have some content types with File fields in CCK. And access to nodes of these types should be granted only to specific Drupal user role. And at any moment site administrator should be able to make these Nodes 'public' or 'private'.

I can make nodes visible only to specific user roles, but this is not secure enough. If anonymous user knows the path to file ( www.mysite.org/hidden_files/file1 ), he can download it.

What is the most elegant way to solve this problem?

Thanks in advance.

Scholl answered 24/3, 2012 at 7:23 Comment(2)
I haven't used this module, but I'm going to install it. It allows you to restrict access to files by role. drupal.org/project/file_accessOruro
Another restriction of private files by role, but not in alpha drupal.org/project/private_files_download_permissionOruro
I
9

Check out this documentation here: http://drupal.org/documentation/modules/file

Specifically, the section titled "Managing file locations and access" which talks about setting up a private data store (all supported by Drupal 7, it just needs to be configured).

To paraphrase, create a folder such as:

sites/default/files/private

Put a .htaccess file in that folder with the following to prevent direct access to the files via the web:

Deny from all

(the documentation claims that the following step does the above steps automatically, I haven't tested that unfortunately but you may be able to save some time if you skip the above two steps)

Log into Drupal's admin interface, go to /admin/config/media/file-system, configure the private URL and select Private Files Served by Drupal as the default download method.

In order to define the fine-grained access to nodes and fields, you can use Content Access: http://drupal.org/project/content_access

You will also need to edit your content types and set the file / image upload fields to save the uploaded files into Private Files instead of Public Files.

At this point, the node and field level permissions will determine whether or not users are allowed to access the files which will be served through menu hooks that verify credentials before serving the file.

Hope this helps.

Imitate answered 24/3, 2012 at 7:47 Comment(7)
Actually, you can also set the private directory to be outside of your web root, such as (relative to server root) /home/[your-account]/private. Make sure the directory is writable by Drupal, which depending on your server config can have a variety of different permissions and group privileges.Imitate
Thanks a lot! I mark this answer as 'accepted'. Sorry, not able to mark it as 'useful', because I have reputation < 15Scholl
No worries, happy to have been of assistance.Imitate
As a matter of fact, even if you use the drupal file system and set your file field to use private file system. As long as your node containing the file is published anyone with direct link will be able to download your file. There is no file level access control only node level and even if your node cannot be accessed by everyone, the file will be!Pacemaker
@Nir: so it is no useful to set files as private when they are public in real? Why should I create private files when I need to set them as private with another tools? I think Drupal is little tricky in setting private files.Softpedal
@Nir: Having .htaccess Deny from all takes care of that. The web server (if you're using Apache) is not going to serve that file directly no matter what.Concrete
Is it possible to only allof private upload? If e give some users the permission to upload to the private dir, they have the choice to upload into public or private. But I want them to have no choice, they just should be able to upload into private - How can I manage that? All permissions that I set did not help.Kerstinkerwin

© 2022 - 2024 — McMap. All rights reserved.