Restrict Access to Uploaded Files

You can restrict access to pages on your site using the Content Access module, but this does not prevent anyone from viewing files that have been uploaded on those pages. In order to so this, the field used to upload the file needs to be set as “private” when it is created. Some site configuration must be done to make the private option available.

  • Configure the site to allow Private Files
  • Create the Private File Content Type
  • Indicate which roles you want to view content created with the Private File Content Type.

Private Directory Configuration

The first thing you need to do is configure the Private directory on your site. 

  1. Go to Configuration > Media > File System
  2. The Private file system path field is blank. 
  3. Enter the following path in the field sites/default/files/private (required, directory name must be called private)
    Configure the Private File Sytem
  4. The Private directory is now available for your site with an .htaccess file that prevents access to anything in the file without the proper permissions.

Private Files Content Type

For files that require restricted access, create a Private Files content type. This is the Basic Page content type but with the “file upload” field set to “private”. Once created, you need to set permissions to allow specific roles to view any of the content on that page, including the uploaded files.

  1. Create a Content Type (Structure > Content Types > Add) and configure based on your requirements. 
  2. Add a File Field to upload the type of file(s) you would like.
  3. When configuring the field, scroll down to the bottom of the configuration page and select the Private files radio button. 
    Upload Private Files
  4. Save the Configuration.

Assigning Access to the Content Type

The Private Files cannot be viewed when they are in the private directory unless access is provided to the content type the file is associated with. Therefore, you need to set access permissions to the Private Files content type using the Content Access Module in order to allow anyone to see and/or download the file. 

  1. Open the Private File Content Type and click on the Access Control tab.
  2. Adjust the permissions to allow the roles you want to view/edit this page.
    Content Access configuration settings

The downloadable file that is attached to this file takes on the permissions of the permissions set here.

Please note: the video describes how to set up a Private file directory and create a Private File content type. This is not necessary. You do not need to create/or change the Private File system path. This has already been set up as part of your YaleSite.