Drupal 7:如何限制对特定用户角色的文件访问 [英] Drupal 7: how to restrict file access to specific user roles
问题描述
我需要在 Drupal 7 上开发一个站点.我在 CCK 中有一些带有文件字段的内容类型.并且访问这些类型的节点应该只授予特定的 Drupal 用户角色.并且在任何时候,站点管理员都应该能够将这些节点设为公共"或私有".
我可以让节点只对特定的用户角色可见,但这不够安全.如果匿名用户知道文件的路径( www.mysite.org/hidden_files/file1 ),他可以下载它.
解决这个问题最优雅的方法是什么?
提前致谢.
在此处查看此文档:http://drupal.org/documentation/modules/文件
具体来说,标题为管理文件位置和访问"的部分讨论了设置私有数据存储(Drupal 7 都支持,只需要配置).
换句话说,创建一个文件夹,例如:
站点/默认/文件/私有
在该文件夹中放置一个 .htaccess 文件,其中包含以下内容,以防止通过网络直接访问这些文件:
拒绝所有人
(文档声称以下步骤会自动执行上述步骤,遗憾的是我没有测试过,但如果您跳过上述两个步骤,您可能会节省一些时间)p>
登录 Drupal 的管理界面,进入 /admin/config/media/file-system,配置私有 URL 并选择 Drupal 提供的私有文件作为默认下载方式.
为了定义对节点和字段的细粒度访问,您可以使用内容访问: http://drupal.org/project/content_access
您还需要编辑您的内容类型并设置文件/图像上传字段以将上传的文件保存到私人文件而不是公共文件中.
此时,节点和字段级别权限将决定是否允许用户访问将通过菜单挂钩提供的文件,这些挂钩在提供文件之前验证凭据.
希望这会有所帮助.
I need to develop a site on Drupal 7. I have some content types with File fields in CCK. And access to nodes of these types should be granted only to specific Drupal user role. And at any moment site administrator should be able to make these Nodes 'public' or 'private'.
I can make nodes visible only to specific user roles, but this is not secure enough. If anonymous user knows the path to file ( www.mysite.org/hidden_files/file1 ), he can download it.
What is the most elegant way to solve this problem?
Thanks in advance.
Check out this documentation here: http://drupal.org/documentation/modules/file
Specifically, the section titled "Managing file locations and access" which talks about setting up a private data store (all supported by Drupal 7, it just needs to be configured).
To paraphrase, create a folder such as:
sites/default/files/private
Put a .htaccess file in that folder with the following to prevent direct access to the files via the web:
Deny from all
(the documentation claims that the following step does the above steps automatically, I haven't tested that unfortunately but you may be able to save some time if you skip the above two steps)
Log into Drupal's admin interface, go to /admin/config/media/file-system, configure the private URL and select Private Files Served by Drupal as the default download method.
In order to define the fine-grained access to nodes and fields, you can use Content Access: http://drupal.org/project/content_access
You will also need to edit your content types and set the file / image upload fields to save the uploaded files into Private Files instead of Public Files.
At this point, the node and field level permissions will determine whether or not users are allowed to access the files which will be served through menu hooks that verify credentials before serving the file.
Hope this helps.
这篇关于Drupal 7:如何限制对特定用户角色的文件访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
