On Tue, April 12, 2011 9:33 pm, Paul Bennett wrote: > I have an app with a content type that allows file attachments. The > content type is set to only allow users of a certain role to view these > attachments, which works fine after the node has been saved (the file > inherits the nodes permissions). > > The way the drupal (6) upload module works however, is to load the file to > the server and then only apply the node or role level permissions after > the node is saved. > This means that between the time the file is loaded to the server and the > node is saved the file is completely unsecured, and my client is extremely > security conscious. > > Does anyone have any suggestions for how to secure the file so it can't be > accessed directly before the node is saved? > > (I've looked at the standard private upload option but the file is still > only secured after the node is saved)
If you are using private files and have the file dir outside the webroot, then there is no means for an external user to reach the file. The file will only be reachable when saved, when Drupal can build a path to the file. Uploads are normally places in a tmp dir, then transferred to the file dir, but external web users should not have access to tmp. Regards Jonathan -- http://huntdesign.co.nz -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
