How can we restrict the access of files in public folder from anonymous users?

Jewel Chakraborty

2/19/23, 5:11 AM

In my project, I am using headless Drupal with .Net on the front end.

I have to use encrypted file system for the project requirements. I am encrypting the files and then decrypting using oauth token and storing them in public folder so that .Net application can get the file as API response. But the problem starts here. As these files are in public folder, if a user logs in to the site and then copies this url and pastes that in another browser, he can easily view that file. But this is not the desired requirement and it creates a major security breach. So my question is how can we restrict public files from getting accessed by anonymous users?

143

0 + 0

drupal-console

Clive

2/19/23, 10:21 AM

_how can we restrict public files from getting accessed by anonymous users?_ You can't, not at the Drupal end anyway. Standard web server setup for Drupal will serve static files if they exist, and bypass Drupal (for obvious performance reasons). Drupal has the private file system for exactly this use case, but you'll need to authenticate the requests from your front end to Drupal, in order to use it. You can easily do this by logging on via the REST endpoint, and using the session/token information you receive from that for subsequent requests.

Score:1

Drupal

David Thomas

2/19/23, 5:50 AM

Drupal provides a private file system mode for files ( https://www.drupal.org/docs/8/core/modules/file/overview#s-managing-file-locations-and-access ) that allows restricting access via hook_file_download ( https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21File%21file.api.php/function/hook_file_download/8.9.x )

If you can’t use private file system mode for storage then you’ll need to restrict access in your web server, such as nginx.

0 + 0

Jewel Chakraborty

2/19/23, 7:54 AM

I tried with private file systems also, but am not able to get the response from .Net end as the files are private. Is there any way to get these files as response from .Net end? For more insights, refer to this link once- "https://drupal.stackexchange.com/questions/307514/how-can-the-custom-files-copied-by-code-to-the-private-directory-be-accessible-t/307599#307599"

Jewel Chakraborty

2/19/23, 9:22 AM

I have already tried to restrict access in web server, but in that case also, i must bypass that authentication from .Net end to get API responses. Again, i will have to send username and password appended with url to bypass this server level authentication. Hacker can get that username password by inspecting the website which again leads to security breach.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can we restrict the access of files in public folder from anonymous users?

TH: เราจะจำกัดการเข้าถึงไฟล์ในโฟลเดอร์สาธารณะจากผู้ใช้ที่ไม่ระบุชื่อได้อย่างไร

RO: Cum putem restricționa accesul la fișierele din folderul public de la utilizatori anonimi?

RU: Как мы можем ограничить доступ анонимных пользователей к файлам в общей папке?

VI: Làm cách nào chúng tôi có thể hạn chế quyền truy cập tệp trong thư mục chung từ người dùng ẩn danh?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.