Permit only one role to download files
https://drupal.stackexchange.com/questions/294710
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to set up a new D8 site. It needs to include some "subscriber only" type functionality. There is one content type which is little more than a title, a file, and one extra field for sorting purposes. There is also a View to make this visible to the end user. What I'm trying to do is let the unauthenticated site visitors see the list, but not download anything while the authenticated users in a specific Role are allowed to download those files. The site's owner will be taking care of adding people to it manually. It isn't too frequent of an event, apparently.
I see how to make the View itself only available to people in that Role. I see how to make content as a whole unavailable to the unauthenticated (Anonymous Users) in /admin/people/permissions. Am I going to have to disable Anonymous Users' access to all content and then enable it one content type at a time? Or is there a better way to achieve the goal?
I'm open to scraping the approach I've taken (Content Type, File field, and a View) and doing something else entirely if it would be better.
Note: We're currently using private files as the default storage location.
Solution
It's good you're using Private file system. That is one level of control you need to prevent the files from being freely downloaded.
Other levels of control are the Page (Views list), Node, and File fields.
You could create two different Views, one without the file field, and one with it, and use Role permissions on those pages. In this case you'd have to make nodes not accessible to all, which isn't fortunate if you want to control other types differently. There are modules, though, that you can use to set up different node type permissions.
But in your case I think it makes the most sense to have different File permissions. This way you don't have to duplicate Views or control node access.
You can do this with the Field Permissions module.
All can see the nodes and Views pages, but only special Roles will see the File field that has those special permissions.
OTHER TIPS
You can create a field formatter for a file field.
When you extend the FormatterBase class you can implement method inapplicable or just prevent rendering by adding return false in a view method.
So add a check if currently logged in use has a correct role - render the file field, else don't display it.
