Drupal Technical
[Drupal] How to limit file access permissions to defined user roles
I came across with an issue in one of the Drupal site that if an anonymous users knows the path of the file(example.org/sites/default/files/file1), he can view as well as download the file without any access to site. This looked strange as the sites files are been traced out by anonymous users and can breakout site admin credentials which are private.
The following steps help you to overcome the issue and keep the necessary files private.
- Create a folder private inside sites/default/files.
- Put a .htaccess file in that folder.
- Also,put the following to prevent direct access to the files via the web
Deny from all
- Next,goto /admin/config/media/file-system.
- change the private URL to sites/default/files/private
- select Private Files Served by Drupal as the default download method.
- Lastly, edit the content type and set the file attachments fields to save the uploaded files to private files instead of public files.
Hope the above helps to fix the issue with the file access permissions.