Private and Public File Access in Drupal

Submitted by patrick on Tue, 10/27/2009 - 19:08

If you're like us, we usually only want to have SOME files "private" and not ALL files as Drupal is limited to all-or-nothing out of the box. There are some modules out there that do this, but honestly it's pretty easy to do yourself.

Let's say you don't want anonymous users (or search engines) to download any files in your sites/default/files/private folder. Create a .htaccess file in the folder you wish to protect and add the following and save (this is for Apache, but similar for Windows systems):


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$ [NC]
RewriteRule ^(.*)$ /system%{REQUEST_URI} [L,QSA]
RewriteCond %{REQUEST_METHOD} ^POST$ [NC]
RewriteRule ^(.*)$ /system%{REQUEST_URI} [L,QSA]

What this does is tells your server that if someone requests the a file either via a GET or POST method, that it needs to forward the request through Drupal to determine if the user has permissions to view the file.

The flag "[NC]" just sets things so it is case-INsensitive and "[L,QSA]" means "this is the Last -- stop processing rules and append any querystring provided."

One last thing, you need to tell drupal about your private folder and tie into its file_download hook (this is for Drupal 5, but refer to api.drupal.org to use the appropriate hook function). You'll need to create a custom module for this. Typically, we create a "tweaks" module for all our client sites, but you can do this however you wish:


/**
* Implementation of hook_file_download().
*/
function [YOURMODULE]_file_download($filepath) {
$dirbasename = basename(dirname($filepath));
if ($dirbasename == 'private') {
if (user_access('access webform results')) {
return 1;
}
else {
return -1;
}
}
}

In this case, we want Drupal to check the user's webform access permission -- if they can access webform results, then they will be allowed to download this file. You can supply any combination of user_access parameters you want (e.g., "administer nodes"). For this, we wanted people who can manage webforms to be able to download webform files that users attach to forms they fill out, but we didn't want anyone else to be able to view them (somewhat confidential information).

That's it... not THAT bad, right?

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h1> <h2> <h3> <h4> <h5> <h6>
  • Lines and paragraphs break automatically.

More information about formatting options