Drupal 7: how to restrict file access to specific user roles

Question

I need to develop a site on Drupal 7. I have some content types with File fields in CCK. And access to nodes of these types should be granted only to specific Drupal user role. And at any moment site administrator should be able to make these Nodes 'public' or 'private'.

I can make nodes visible only to specific user roles, but this is not secure enough. If anonymous user knows the path to file ( www.mysite.org/hidden_files/file1 ), he can download it.

What is the most elegant way to solve this problem?

Thanks in advance.

Answer 1

Check out this documentation here: http://drupal.org/documentation/modules/file

Specifically, the section titled "Managing file locations and access" which talks about setting up a private data store (all supported by Drupal 7, it just needs to be configured).

To paraphrase, create a folder such as:

sites/default/files/private

Put a .htaccess file in that folder with the following to prevent direct access to the files via the web:

Deny from all

(the documentation claims that the following step does the above steps automatically, I haven't tested that unfortunately but you may be able to save some time if you skip the above two steps)

Log into Drupal's admin interface, go to /admin/config/media/file-system, configure the private URL and select Private Files Served by Drupal as the default download method.

In order to define the fine-grained access to nodes and fields, you can use Content Access: http://drupal.org/project/content_access

You will also need to edit your content types and set the file / image upload fields to save the uploaded files into Private Files instead of Public Files.

At this point, the node and field level permissions will determine whether or not users are allowed to access the files which will be served through menu hooks that verify credentials before serving the file.

Hope this helps.