I just recently provided a private file solution for uploaded files, including imagecache images, which opens a security hole: http://drupal.org/node/796384 . I used a solution based on the private download module: http://drupal.org/project/private_download which uses a urlrewrite solution . You might consider using that solution to protect the file while it is in the node add form stage. Download that module to see the solution. I've successfully used it to close the imagecache security hole and can control who sees imagecache presets. It requires having htaccess files everywhere but it works. I can send you the module I created on request. I will be contributing it back to drupal.org at some point.
On Apr 12, 10:58 pm, Paul Bennett <[email protected]> wrote: > Hi Chris and Jonathan, > > Thanks for the feedback. > > My experience is that the file is accessible - even when using private > browsing and a directory outside the web root. > > Testing steps: > - [in safari] log in, attach a file to the node, upload it. > - open Chrome (not logged into Drupal therefore running as anonymous user) > - copy file link from node add form (node not yet saved) > - paste link into Chrome's address bar > - hit enter > - say small prayer > - file is able to be viewed > - swear > - briefly consider another line of employment > > I do have the content access module running and there may be something askew > with my file upload settings. I'll strip back my settings and test again > tomorrow morning, as you both sound like this should be working the way I > want it to anyway. > > Paul -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
