Restricting Access to Pages and Files

How to Manage Who Sees What on Your YaleSite

We’ve had a lot of requests for more information on restricting or controlling access to content. This is relatively easy to do with YaleSites using the right module combination:

Roles and People Management

YaleSites allows you to control who can edit/view content with roles. Out-of-the-box, anonymous and authenticated users (anyone with a NetID) can view your site; the Editor, Site Builder, Administrator roles all have varying degrees of access based on the permissions granted. These permissions can be customized based on a site’s needs. Read More

Restricting Access to Specific Pages or Sections

The Content Access Module gives you a way to control who can view or edit content for specific Content Types or individual pages/nodes on your site based on roles. Read More

Restricting Access to Uploaded Files

Although the Content Access Module allows you to restrict access to pages or sections of your site, this alone does not prevent someone from viewing or downloading PDFs or other files that have been uploaded to your site. In order to prevent access to files, you need to configure the Private File settings and the Content Access module. Read More

CASifying a Page

There may be times when you want to limit a page or webform to the internal Yale community. You can easily redirect someone to CAS prior to opening a page or webform using the CAS module. Read More

Password Protecting a Page/Node

Need to restrict access to a small group that includes users who are outside the Yale community? Since these users do not have NetIDs, they can’t log in or be assigned a role. In these cases, you can use the Protected Node module to create a password for distribution. Read More

Restrict access to pages/sections

You can easily restrict access to specific pages or sections of your site using the Content Access Module. This allows you to provide access to view and/or edit content for a specific content type based on a user’s role. In addition, you can provide permission to specific pages on an as-needed basis, in the event that only one page of a specific content type requires restriction.

Since the use of multiple user access modules can create conflicts, YaleSites will only offer the Contact Access module as the option to restrict/grant access to users. For instructions on how to configure this module, please visit the Content Access module page on the YaleSites How-To Guide.

Restrict Access to Uploaded Files

You can restrict access to pages on your site using the Content Access module, but this does not prevent anyone from viewing files that have been uploaded on those pages. In order to so this, the field used to upload the file needs to be set as “private” when it is created. Some site configuration must be done to make the private option available.

  • Configure the site to allow Private Files
  • Create the Private File Content Type
  • Indicate which roles you want to view content created with the Private File Content Type.

Private Directory Configuration

The first thing you need to do is configure the Private directory on your site. 

  1. Go to Configuration > Media > File System
  2. The Private file system path field is blank. 
  3. Enter the following path in the field sites/default/files/private (required, directory name must be called private)
    Configure the Private File Sytem
  4. The Private directory is now available for your site with an .htaccess file that prevents access to anything in the file without the proper permissions.

Private Files Content Type

For files that require restricted access, create a Private Files content type. This is the Basic Page content type but with the “file upload” field set to “private”. Once created, you need to set permissions to allow specific roles to view any of the content on that page, including the uploaded files.

  1. Create a Content Type (Structure > Content Types > Add) and configure based on your requirements. 
  2. Add a File Field to upload the type of file(s) you would like.
  3. When configuring the field, scroll down to the bottom of the configuration page and select the Private files radio button. 
    Upload Private Files
  4. Save the Configuration.

Assigning Access to the Content Type

The Private Files cannot be viewed when they are in the private directory unless access is provided to the content type the file is associated with. Therefore, you need to set access permissions to the Private Files content type using the Content Access Module in order to allow anyone to see and/or download the file. 

  1. Open the Private File Content Type and click on the Access Control tab.
  2. Adjust the permissions to allow the roles you want to view/edit this page.
    Content Access configuration settings

The downloadable file that is attached to this file takes on the permissions of the permissions set here.

Please note: the video describes how to set up a Private file directory and create a Private File content type. This is not necessary. You do not need to create/or change the Private File system path. This has already been set up as part of your YaleSite.