问题描述
我需要在Drupal 7上开发一个网站。我有一些内容类型与CCK中的文件字段。而且这些类型的节点的访问只能被授予特定的Drupal用户角色。在任何时候,站点管理员应该能够使这些节点公开或私有。
我可以使节点只对特定的用户角色可见,但这是不够安全如果匿名用户知道文件路径(www.mysite.org/hidden_files/file1),他可以下载它。
什么是最优雅的方式来解决这个问题
提前感谢
:
具体来说,有关设置私有数据存储(所有由Drupal 7支持的文件位置和访问权限)部分,仅需配置)。
要更改,创建一个文件夹,例如:
sites / default / files / private
将 .htaccess 文件放在该文件夹中,具有以下功能,以防止通过网络直接访问文件: p>
拒绝所有
(文档声称f以下步骤自动执行上述步骤,我还没有测试不幸,但如果跳过上述两个步骤,您可能可以节省一些时间)
登录到Drupal的管理界面,转到 / admin / config / media / file-system ,配置私有URL,并选择由Drupal提供的私有文件作为默认的下载方式。
为了定义对节点和字段的细粒度访问,您可以使用内容访问
您还需要编辑您的内容类型,并设置文件/图像上传字段将上传的文件保存到私人文件,而不是公共文件。
此时,节点和字段级别权限将决定是否允许用户访问将通过验证凭据的菜单钩子提供的文件在服务该文件之前的内容。
希望这有帮助。
I need to develop a site on Drupal 7. I have some content types with File fields in CCK. And access to nodes of these types should be granted only to specific Drupal user role. And at any moment site administrator should be able to make these Nodes 'public' or 'private'.
I can make nodes visible only to specific user roles, but this is not secure enough. If anonymous user knows the path to file ( www.mysite.org/hidden_files/file1 ), he can download it.
What is the most elegant way to solve this problem?
Thanks in advance.
Check out this documentation here: http://drupal.org/documentation/modules/file
Specifically, the section titled "Managing file locations and access" which talks about setting up a private data store (all supported by Drupal 7, it just needs to be configured).
To paraphrase, create a folder such as:
sites/default/files/private
Put a .htaccess file in that folder with the following to prevent direct access to the files via the web:
Deny from all
(the documentation claims that the following step does the above steps automatically, I haven't tested that unfortunately but you may be able to save some time if you skip the above two steps)
Log into Drupal's admin interface, go to /admin/config/media/file-system, configure the private URL and select Private Files Served by Drupal as the default download method.
In order to define the fine-grained access to nodes and fields, you can use Content Access: http://drupal.org/project/content_access
You will also need to edit your content types and set the file / image upload fields to save the uploaded files into Private Files instead of Public Files.
At this point, the node and field level permissions will determine whether or not users are allowed to access the files which will be served through menu hooks that verify credentials before serving the file.
Hope this helps.
这篇关于Drupal 7:如何限制文件访问特定的用户角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!