_____

Drupal: private data

The sites/default/files folder

The sites/default/files folder is used to store files: images, pdf's etc. With IMCE it is possible to use the files in pages and to upload files. By defaut, everything in the sites/default/files folder is readable, also if no page is mentioning a file. For example, sorry, not available here can be used to download a file, also outside the ratrabbit website.

Hiding files

It is, also in standard Drupal, without adding a module, possible to create a folder whose contents are only accessible from the pages of your website. Example:

  • create a folder "protected" in the sites/default/files folder
  • set the permissions on "protected" as rwxrwxrwx to ensure that the apache server can write into it
  • configuration->file system
  • enter under Private file system path: sites/default/files/protected
  • Under Default download method check Private local files served by Drupal.
  • click Save configuration

Test: have a look in the "protected" folder, and see if there is now a file with the name ".htaccess":

Deny from all

   # Turn off all options we don't need.
   Options None
   Options +FollowSymLinks
   
   # Set the catch-all handler to prevent scripts from being executed.
   SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
   <Files *>
     # Override the handler again if we're run later in the evaluation list.
     SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
   </Files>
   
   # If we know how to do it safely, disable the PHP engine entirely.
   <IfModule mod_php5.c>
     php_flag engine off

This file (especially the first line) takes care, that the apache server will not serve any content from this folder, also not of any subfolder. Files in this folder can only be seen using a link from within your Drupal website, created with IMCE.

Example: two links to the same file in the "protected" folder:

  • using the conventional url _sorry, not available here .
      shows the "Forbidden" error, because the file is served by the apache server, which obeys .htaccess.

  • using the new url sorry, not available here .
      works (after installing and configuring module 'Private files download permission', see below),
      because now the file is served via the Drupal system, which ignores .htaccess

  • By checking Private local files served by Drupal. (see above), IMCE will take the "protected" folder as root, and it is not possible any more to use IMCE for files directly under sites/default/files.

Give access to roles

For this, we need module Private files download permission. Install and enable as usual.

Arrange that folder sites/default/files/protected can be accessed by everyone:

  • goto: configuration->Private files download permission. In the List directories tab, you see what the starting folder is: in our example "Your private file system path is sites/default/files/protected."
  • if not already present, add a directory "/", this is the sites/default/files/protected folder.
  • goto: edit->ENABLED ROLES
  • enable all roles (admin, anonymous user, authenticated user, ...)

Suppose you want to create a folder "members-only" accessible only by authenticated users:

  • create folder sites/default/files/protected/members-only
  • set permissions of this folder to rwxrwxrwx
  • goto: configuration->Private files download permission
  • click + Add directory
  • add directory /members-only
  • goto: edit->ENABLED ROLES
  • enable administrator and authenticated user

Any file in this members-only folder can only be accessed by authenticated users.

Demo

Try sorry, not available here while you are not logged in and when you are logged in. You login in sorry, not available here , using username: guest and password: guest

The relevant files:

               |
             sites
               |
            default
               |
             files     (contains the standard .htaccess)
               | \
               |   flowers.jpg   (readable for everyone, also via direct url)
               |
           protected   (contains .htaccess that forbids download via direct url)
               | \
               |   mansed.pdf (readable for everybody)
               |
          members-only
               |     \
               |       flowers1.jpg (readable for logged in users)
              pdf
                \
                 manbash.pdf (readable for logged in users)