Drupal 7 supports public and private download/upload method (if system paths set under Media configuration section) - by default Public download method is supported only.
Public download method - files are stored within Drupal web directory set via public file system path (default in "sites/default/files"). Any file stored here can be downloaded using direct URL for example www.example.com/sites/default/files/test.txt
Private download method – files are stored in the destination specified by private file system path and cannot be downloaded directly via URL (if everything is set correctly). Drupal writes .htaccess file to the private file system path that by default denies access to all files within this location (if it does not it means that .htaccess file stored here cannot be read by Apache – check Apache configuration settings for the web site and fix it). Private files are accessible via this URL: www.example.com/system/file/test.txt for which Drupal checks access permissions e.g. if Page nodes can be accessible only by authenticated user anonymous user would get Access Denied if accessing private file attached to any Page node. If we access private file using URL www.example.com/sites/default/files/private/test.txt (assuming that private system path was set to: sites/default/files/private) server would return default Apache 403 page (as per .htaccess in this folder) as direct access is disabled.
Under Media -> File system settings we can specify which default download method would be used for our Drupal website
When public and private file system paths are set we can specify where uploaded files (via File field) should be saved. On the node content type under manage fields we can add new field that would be used to upload files and under field settings we can select one of available destination: private or public.
It means that if we specify for file field upload destination as Private Drupal would on node save upload any file into private file system path, if we specify public it would upload into destination given by public file system path.
Mixing private and public files methods in Drupal 7
We have two methods that can be used to set up Drupal web site to provide support for public as well as private files at the same time.
- Create two file fields under manage content type – for one we specify upload destination = Public files and for second upload destination = Private files (to let Drupal know to upload files into correct places so they would be served properly either by Public or Private download method) or,
- More advanced but more elegant method: create custom widget for example tick box that if it is selected would instruct Drupal that this file on node save should be uploaded to destination specified by private file system path otherwise in public destination. This method can allow uploading public and private files from the same field.
As already explain ensure that there is an .htaccess files in the private file system path (Drupal should create one when private file system path was set up) and is accessible by Apache.
Default .htaccess file is enough – it would by default deny (403) any direct access to files within private file system path. We can replace this file and put rewrite condition that would be smarter and rewrite “public” url of private files into “private” url:
<IfModule mod_rewrite.c> RewriteEngine on RewriteBase /system/files RewriteRule ^(.*)$ $1 [L,R=301] </IfModule>
At this point everything should work:
- all files are stored in correct upload destinations (private or public),
- private and public file system paths are set
- Drupal would use either public or private download method to serve our files accordingly.
At the time of writing this Drupal 8 almost ready (will be releas 19th November 2015) so here I just post brief information how private/public files can be served in Drupal 6 framework. By default Drupal 6 allows only public download/upload method. To provide private and public upload/download method we have to install and enable two additional contributed modules:
Hope you would find my notes useful and if there is anything I missed or incorrect please let me know.