Drupal Private Download Folder

By Jimmy Bonney | August 26, 2009

Private Property

Still working with Drupal and still learning a lot… The challenge I was facing was to let users upload files to a specific folder but to restrict access to that file so that it cannot be downloaded by anybody simply by giving the file path (private download). Therefore, users are allowed to post content but not access it (otherwise nothing prevent them to access files from other users in the folders).

Fortunately - as often with Drupal - there are already solutions on the web:

  1. Mixing private and public downloads in Drupal 6
  2. Restrict specific folders from public download (via .htaccess)

To summarize, I mixed the two solutions given here above, because I had a problem when using only solution 1 (my drupal site is not at the root of the website but in a subfolder). Therefore I used method 2 and edited the .htaccess file at the root of the website in order to add the following line somewhere in the block delimited by <IfModule mod_rewrite.c>...</IfModule>:

RewriteRule ^sites\/default\/files\/(protected_download_dir\/.*)$ index.php?q=system/files/$1

For what I have noticed, it is also possible to edit the line as

RewriteRule ^sites\/default\/files\/(protected_download_dir\/.*)$ /system/files/$1

but maybe one is better than the other.

After that, I just implemented the private download module given in one of the comment of the first link. As a result, the following is now the current flow:

  1. Some users are allowed to create a custom content containing a CCK filefield item so that they can upload a file in the private folder
  2. Once the file is uploaded, normal users do not have the permission to access the file
  3. Administrators receive a email that a new content containing a file has been uploaded
  4. Administrator with the privatedownload permission (part of the module) are allowed to access the file in the private folder and therefore allowed to download it

Note that as mentioned in the links above, this solution offers one private folder that would be like a pool in which user can throw their files but not access them. Only administrators are allowed to access the files. It is therefore easier if all files are situated in this unique folder so that administrators can retrieve / remove all files at once (by ftp/sftp/ssh) if necessary.



For the time being, comments are managed by Disqus, a third-party library. I will eventually replace it with another solution, but the timeline is unclear. Considering the amount of data being loaded, if you would like to view comments or post a comment, click on the button below. For more information about why you see this button, take a look at the following article.