[development] Rewrite rules and file access

Lee Rowlands rowlands at rowlands1.dnsalias.org
Wed Jul 14 20:45:40 UTC 2010 

Thanks Ken
This is essentially what I'm doing, its the 'denying direct access to
the imagecache path' that I'm stumbling on, this site is an online print
store where the user designs and pays for their printing in the browser
(lots of js!). They need to upload images for their design (scale, crop
etc) but these need to be private (even for anonymous). Each of the
printing options is a node and each can have a different print size
requiring a new imagecache preset. I can handle protecting these presets
with my node hooks by creating the imagecache folders and adding
the .htaccess on hook_insert, but my module isn't in isolation so
Ubercart, the client and other modules are defining their own presets -
I'm hoping for a more elegant solution than say a hook_init to check the
defined presets against a list that has been previously protected,
creating new .htaccess files for those that are unprotected. This is
mainly because once the site is live, the bulk of the new presets will
be from the custom module so the hook_init will be largely redundant but
(in my belief) a necessary security measure.

Lee
On Wed, 2010-07-14 at 08:17 -0400, Ken Winters wrote:
> I had the same issue at one point.  I think the end solution was  
> writing a new callback
> (so it didn't map directly to a file), setting up a perm check on it,  
> and on success returning
> what imagecache would have.  Then I denied direct access to the  
> imagecache path.
> 
> - Ken Winters
> 
> On Jul 14, 2010, at 5:58 AM, Lee Rowlands wrote:
> 
> > Hi
> > I asked this one on the list during Drupalcon SF but got no response
> > (the list was quiet that week!) so here goes again:
> >
> > *The Background*
> > ---------------
> > I've got a module I'm working on that needs to force some images to go
> > via the private download method.
> > This is working fine rerouting links via system/files in combination
> > with a htaccess file limiting direct access to the directory.
> > I also need thumbnails in various sizes of the images so it makes  
> > sense
> > to use imagecache.
> > I want the site in public download method except for these files and
> > I've successfully got the imagecache integration working.
> > I've used hook_menu_alter to prevent people accessing the relevant
> > imagecache file path directly, rerouting the imagecache cached images
> > via system/files.
> > The problem is, once the imagecache file is created, the file is no
> > longer being served via Drupal, with Apache serving it direct. This
> > obviously does not get near my access callback.
> >
> > *The Questions*
> > ---------------
> > Is this down to Drupal's rewrite rules?
> > Are the rewrite rules not evaluated if the file actually exists?
> > Can I create a rewrite rule to force this file to go through Drupal -
> > the relevant files all contain a common element in their path so I
> > should be able to match it) or do I need to consider alternatives such
> > as creating .htaccess files in the subfolders for each imagecache
> > preset, monitoring for new presets?
> >
> > Any suggestions welcome.
> > Lee Rowlands
> >
> >
>

More information about the development mailing list