Drupal 7 Private Files Module

Drupal 7 Private Files Module - Secure files user permissions

I've put together this module to extend Drupal's functionality giving a truly private file system. Currently, Drupal will let you choose to store your uploaded files using the public or private file system however, even if you chose private it is still possible to browse to these files with a URL. I've come across a few situations where I've had files which should only be viewable by logged in users (e.g. user pics). In other situations I've needed to make sure certain files are only viewable by the user that uploaded them.

Private Files Module lets you do all this without breaking a sweat.

Using the module

  • Install Private Files module from module list.
  • Setup user permissions at admin/people/permissions
  • Choose security type for each folder at admin/config/media/private-files

Let me know what you think.

Spread The Love


Steve's picture
posted by Steve on May 04 2011

With the very limited testing that I've done this seems to do exactly what I want, which is to restrict private files to logged-in users (at this point I have no need to restrict access to the user who uploaded the file so I haven't tested that function).

Thanks! This was a showstopper and I was in the early stages of planning a switch away from Drupal.

jack's picture
posted by jack on May 04 2011

fantastic... glad to hear it helped you.

jack's picture
posted by jack on May 09 2011

I'm looking for ideas on how to improve the module. Would appreciate any feedback you can provide!

Marshall's picture
posted by Marshall on May 11 2011

Have you uploading this as a module at drupal.org?

jack's picture
posted by jack on May 11 2011

Hi Marshall - I haven't yet. I still haven't taken the time to figure out GIT yet, but I'm working on it.

Marshall's picture
posted by Marshall on May 11 2011

Yeah, this module is magical. If I had known about it, I could have saved myself 2 days of trying to get Drupal to see a folder outside of the site root. Media Temple hates me. I hope you're able to get this up soon and thanks.

Sutharsan's picture
posted by Sutharsan on May 12 2011

Nice work, and so simple. Why not share this code at drupal.org?

jack's picture
posted by jack on May 12 2011

Sutharsan - glad you like it. As I mentioned in a comment above... I'm still trying to figure out GIT well enough to add a module onto Drupal.org. I'll get there eventually ;-)

Sutharsan's picture
posted by Sutharsan on May 12 2011

Totally off topic, but I recommend the book 'Pragmatic Version Control Using Git'. It helped me a lot. Wrapping my head around the branches and the workflow was the toughest thing to do.

jack's picture
posted by jack on May 12 2011

awesome! thanks for the tip.

Sutharsan's picture
posted by Sutharsan on May 30 2011

I hate to ruin a party, but after long struggling, debugging and testing with various access control modules in combination with private files I came to the conclusion that this module is not needed to block access to private files which are uploaded via an image field on an access restricted node. This images are not loaded as part of the restricted node, but also not accessible via the (example.com/system/...) url. It did not work at first, the access to the node was restricted but the file access was permitted (using TAC Lite). But when I started over again with TAC Lite it worked as advertised. Also with the Node Privacy by Role module. Can't explain why it did not work in the first place but my use case for this Private Files module is no longer there.
Thanks any way for the effort of writing the code and sharing it.

jack's picture
posted by jack on May 30 2011

Hey - Not sure I 100% understand your scenario but I'm glad you made it work without the module... a simpler solution with less code is almost always a good thing.

Marshall's picture
posted by Marshall on May 31 2011

I had the same thing going. All my files were private on my MAMP installation of a site. Then, when I moved to a staging server the file privacy stopped working and the only way I could get it back while not totally re-doing my file structure was to use this module.

Bas's picture
posted by Bas on Oct 24 2011

Hi Erik, it may solve that particular use case but if you're using CKEditor a good private directory control module is much needed.

Renaee's picture
posted by Renaee on Jun 02 2011

Hi there,
I do not see anything at the admin config area:

the overlay pops up but there is nothing there.

Any explanation?
many thanks,

mori's picture
posted by mori on Nov 03 2011

Did you enable the private file system?
And are there any subfolders into the main private root directory?
If not then nothing can be displayed.

Sutharsan's picture
posted by Sutharsan on Jun 03 2011

I'll explain my scenario: A node with an image field. Access to the node is controlled with TAC Lite. The image is stored in the private file system.

I expected the image to have the same access restrictions as the node. Thus the URL of the image to give a 403 for the same roles as the node does.

I think my problem was fixed by the latest security release of Drupal. It worked as expected after upgrade to 7.2. See http://drupal.org/node/1168756

Steffen's picture
posted by Steffen on Jul 05 2011

Thank you for this module! Needed to restrict access to a filefield file – fieldpermissions don't worked.
But since drupal 7 is able to deal with private and public files at the same time, perhaps the "file_default_scheme() == 'public'" isn't needed. I've removed it and it's working like expected for the private files.
Perhaps this module can extend fieldpermissions? You should release it on drupal.org, it's a gem.

Carl's picture
posted by Carl on Sep 06 2011

This is great - I've been looking for a solution to this problem for literally months now but have only just come across your page.
I've tested the module out and it seems to work OK. Perhaps lacking a bit of contextual info in terms of UI, but it's so straight forward that it is still perfectly usable without.

My one question is this: If I set a folder to only allow access to authenticated users, and an anonymous user accesses the direct URL of a file within that directory they are presented with an access denied page - My site is configured such that this page also has a log in form on it. If the user then logs in, they are instantly able to download the file, but they're left on the 'access denied' page. Do you know if there is a relatively simple way to redirect the user once they login, so that they are taken to the node page of the the node to which the file has been uploaded, as well as /or instead of just downloading the file? In your hook_file_download is see that you find out which folder is being requested, but the return values for this function don't allow for this sort of functionality. I wonder if there's a way to back trace this directory to the corresponding node? Totally outside of the scope of this module, I'll admit, but I just thought I'd try and pick your brains!

jack's picture
posted by jack on Oct 13 2011

Hey - not sure about the redirect thing. There used to be a module called Login Toboggan that did that. Might be worth a quick look on drupal.org for it.

Bas's picture
posted by Bas on Oct 24 2011

Hi, thanks for sharing this! I think this functionality should have been in Drupal core. Because it is so trivial, any module should be well-configurable so that (almost) all situations could be solved with it.

Your problem is handy, but it lacks good configuration right now. Right now, this module is not usable for me yet. I have configured CKEditor to have a private folder for every individual user. This creates directories in de private folder named with the user id (for example '456'). By default, new folders accessible by your module and though it is possible to change the settings of existing folders, I want to specify a 'default' setting for new folders. It would be best to specify that only directories with digits are accessible by people who can read ckeditor content.

I think it would be better if you could specify regular expressions to match paths within the private folder. You should be able to sort these rules, such that you can specify which reg exp is more important that the other. This would make the module better configurable.

Per reg exp you should be able to configure:
- if owner users should be able to see at (checkbox)
- the permission that the user should 'own' to view this file
(users should be able to create new permissions dynamically)

Do you have a problem with me changing your module to make it configurable like above, when I have time for it? I kind of need this quite quickly so prefer to create it myself.

jack's picture
posted by jack on Oct 25 2011

Hey - I have no problem with you modifying the module... let me know if you have any questions.

mori's picture
posted by mori on Oct 31 2011

First of all: congrats for that excellent work !!!

Currently with D7.9, D7.7 works, I don´t see the options for the folders on the admin-page. Maybe this is caused due to another module?

mori's picture
posted by mori on Oct 31 2011

Everything perfect, it was just a setup mistake to an new empty private folder. SORRY.

jack's picture
posted by jack on Nov 01 2011

glad you got it figured out!

mori's picture
posted by mori on Nov 03 2011

Someone set up this project based on your work:

mori's picture
posted by mori on Nov 03 2011

Maybe this is an issue having a look at.

For a music site I wanted to use the private file system and the media audio field with the WordPress Audio Player and protect the audio files with your module.

But when I restrict access to the folder for logged in users the player is not able to play the files anymore. Instead the player says "file not found".

Maybe a solution is to use the jPlayer which has an admin option to protect the audio files. But yet I did not try it because of some bugs.

The site with the player is here: http://www.luvliterecordings.com

Debra's picture
posted by Debra on Nov 30 2011

This was exactly what I needed in a crunch. You saved me loads of headaches and time. Thanks!

Jacob's picture
posted by Jacob on Dec 08 2011

Please make a redirect to the login page when a unregistered user tries to download the file!

Thank you!

SlyK's picture
posted by SlyK on Feb 02 2012

Hello. Thanks for module!
There are some fix was needed for me. My default file scheme is 'public', but I use some 'private' file fields. So there is no need to check my default file scheme.
if(file_default_scheme() == 'public') { - not needed

Naren's picture
posted by Naren on Mar 28 2012

I am getting access denied when i tried to download files from filedepot or filetree modules. Based on the instructions listed i am getting a different windown When i goto Admin -> configuration -> Media -> private files

. Everyone
. Logged In Users
. File Owner

. Everyone
. Logged In Users
. File Owner

instead of choosing the folder. when i select Everyone i am getting Access denied. Any ideas.

Haris K's picture
posted by Haris K on Apr 19 2012

Thank you fro this module. Does it work with lighttpd?

jack's picture
posted by jack on Apr 23 2012

I've not tested it, but see no reason why it wouldn't work. Let me know how you get on!

Tony's picture
posted by Tony on May 02 2012

Heres the error i get when trying to create a subfolder " You need to enable the private file system before you setup this module."

jack's picture
posted by jack on May 04 2012

Sounds like you haven't setup "private files" within Drupal. This module just extends the default private files features. There's some instructions on this page - http://drupal.org/documentation/modules/file

Rank Us

Rank BEACON9 with a tweet...

Got Skillz?

If you've got ninja web skillz and are interested in working with us, get in touch!

Ready to rock? Get in touch for a free consultation & quote.Get in touch

Copyright © 2012 BEACON9 Media Ltd. All Rights Reserved.

Powered by Drupal A BEACON9 Creation