Re: [support] File system out of root

On Wed, 19 Mar 2008 09:21:43 -0400 Mark Shropshire mdshrops@shropnet.com wrote:

Walter,

I would love to hear more form others as I have a number of sites set to private where the folder is above the root web and I need to convert back to public with files in sites/default/files.

Anyway, I do know that it is a good idea to make sure the files folder is about the root web our out of there when using private files setting. If you don't, someone who knows the correct file name can go directly to the file. If a private file is called via a drupal node, drupal will only stream the file out to the client if they have the proper permissions.

It is not "the solution" but it works. You just have to add an .htaccess that deny all direct access.