Always secure the files on your website properly | why (and how to do it in Drupal)

(Available as freelancer)

Joris Snoek

Business Consultant
/ Drupal Developer

Per May 25th 2018, the General Data Protection Regulation comes into effect, making it advisable to have an extra check on the security of your data. Here are some tips on securing files in Drupal:

Paris is always a great idea

When we left for Paris for new years’, we needed a cat sitter. I looked around and found Pawshake: an international platform which soon provided us with someone. I quickly realized it was a Drupal platform, so I made a profile on it and decided to test the waters: is my profile picture being protected…? And it appears it doesn’t seem that way! Anyone can see my picture without logging in. You can check it yourself, it’s not great. How they could fix it:

Public vs Private files

Generically speaking, there are two kinds of files, when you manage a website- or app: public or private. Technically speaking you will have to decide how your content management system will manage those files and how to apply the correct security on them. This depends on the kind of services you are providing with your website- or app.

Public files

These are primarily used by websites with public content, with nobody logging in (except for content managers and admins) and which are mainly used to provide information regarding products and/ or services.

Private files

These are primarily used in case of a web application such as:

• Social intranet;
• Online community;
• Chat application.

For the last one you’d like all files being uploaded by a user not to be visible for just everybody – and you’ll have to design your system accordingly.

Private and public files in Drupal

Drupal contains an extensive file management system which can facilitate public and private files. You can reach the settings via the configuration screen:

As soon as you click on the File system the details will appear:

1. Directory where the public files are being saved.
2. The absolute URL which is put in front of all public files
3. Directory where the private files are being saved, in this case not activated yet.
4. Standard way how a file can be downloaded, as soon as the private files directory has been set up, you’re also able to opt for private.
5. Time before temporary/ orphaned files will be removed permanently. This concerns all files with status 0 in the database.

Activate Private files in Drupal.

The above is a standard installation, with the files set on public. But as described, you might want to protect your files, making them accessible to users with the right permission only – instead of the whole, anonymous world. This is how to do it:

Configure the private files directory in settings.php:

In this case you opt for ../files. Makes sure this directory is outside the webroot, otherwise there might be a chance that your private files are publicly available anyway. If you empty your caches after that (Flush all caches) you can pick you pick private files as default download method:

1. The path as set in settings.php
2. Adjust the /tmp directory, ensuring temporary files to also be protected.
3. Set private files as default download method.

Now, Drupal is configured to treat all files as private: if visitors want to download a file, or want to look at an image for example, it will be via a Drupal system call and not by directly invoking the file by the browser. In that call Drupal decides whether the visitor concerned has permission to download the file.

Determining yourself whether someone is allowed to download a private file or not with the help of hook_file_download().

Currently, we are building a chat application based on Drupal and NodeJS: Lus. This has channels (group chats), in which files can be shared. Of course we only want people in the channel concerned to be able to download the files from that group. For example, if you’re not in group A, it ought to be impossible to approach files in that group A.

For more information regarding Lus, see lus.digital & docs.lus.digital.

This concerns a custom web-app, that’s why Drupal doesn’t have suitable permissions to sufficiently secure this. but no worries: hook_file_download() to the rescue, here is a code which we produced in our .module file:

Drupal recognizes the hook_file_download(),making sure it will invoke this function when someone is about to download a file via Drupal’s private file system.

What this code basically does:

1. Checking who the current user is.
2. Checking whether that user is in the channel to which the file has been uploaded.
3. When the user is in the channel: loading file and returning file, making it available for the visitor concerned.
4. When the user is not in the channel concerned: provides a not found.

Wrap up

Generically speaking, there are public and private files on the internet. Determine which file system you need, before you start producing an online platform, website or app. If you deploy Drupal, I hope that you can structure the files properly and securely with the information as provided above. Any questions? Let me know!

Image Credits