Good point Ivan.. Thanks!
Do you happen to know what to put into .htaccess to make this happen so I can keep in my notes?
Also.. I think there was a summer of code project to allow private and public files simultaneously. I haven't tried the module, but that would be nice so you don't have to stream every image just because you need a few files protected.
On Mar 19, 2008, at 9:36 AM, Ivan Sergio Borgonovo wrote:
On Wed, 19 Mar 2008 09:21:43 -0400 Mark Shropshire mdshrops@shropnet.com wrote:
Walter,
I would love to hear more form others as I have a number of sites set to private where the folder is above the root web and I need to convert back to public with files in sites/default/files.
Anyway, I do know that it is a good idea to make sure the files folder is about the root web our out of there when using private files setting. If you don't, someone who knows the correct file name can go directly to the file. If a private file is called via a drupal node, drupal will only stream the file out to the client if they have the proper permissions.
It is not "the solution" but it works. You just have to add an .htaccess that deny all direct access.
-- Ivan Sergio Borgonovo http://www.webthatworks.it
-- [ Drupal support list | http://lists.drupal.org/ ]