Posted by Evan Wise on August 13, 2008 at 4:47pm
Hi all,
I need some help with the following situation.
User A uploads a file that only User B is allowed to see. I want to have User A easily upload the file and then, via a view, have User B access the new file.
I have already turned of private files in Drupal to enable the first level of security but I don't know how to easily set up the modules/permissions to have User B (or User A) access the file.
Thanks in advance,
E/.
Comments
I would try this: create a
I would try this: create a content type that includes a file upload and a user reference (or optionally, multiple user references).
In a view, create a filter that displays the content type only for the user referenced.
Scott Morgan
www.webzoa.com
Scott Morgan
www.webzoa.com
Would work
But not really secure. Since people could still navigate to the node that contained that file.
I was talking to Evan about this, and I think a CCK type plus Filefield plus Content Access / ACL will work. It looks like Content Access can set per user permissions.
In general, a "my files" view that has all file nodes that the user can see would be a very useful thing to add to the site.
working so far!
I found that using a combination of the FileField + Content Access + ACL worked. I had to enable the "administer access control" in the role of the User A (person posting the files) to allow them to include User B as someone who has access to the files uploaded. Once the new node (w/ file) is created User A has to User B as a viewer of that particular node. This requires "Enable per node access control settings" to be selected when creating your new CCK object.
Seems to work well and a nice unauthorized access to those that don't have permission to get the files. It is key to use Private Files though - otherwise HTTP requests nicely deliver those private files! I still need to test more but things appear to be working great.
Cheers,
E/.
--
Evan Wise
http://justwerks.com
Skype: evan_wise
--
Evan Wise
http://justwerks.com
Skype: evan_wise
An improvement
You could code the theme's node template file for that content type to display the file link in the teaser only for the correct user(s). Then show that teaser in the view. Still not absolutely secure, as anyone who knows the file name would still be able to download it.
But I think it's easier for the end user - no having to mess with content access lists. But it is a bit of a uglyish hack I suppose.
Depends on level of security needed
And in any case, I'm assuming that User A needs to know which User B to give access to, so they'll have to pick from a list somehow. Also, I would never in a million years put this in the node template file as part of the theme -- this is business logic. Even if it is applied at the theme level, this sort of thing should go in a module (you can put anything that's in a template.php or tpl.php file in a module, you might just have to wrap it in a function that gets called in the tpl file).
Turning content access into a CCK widget / auto complete and/or cleaning up the UI so that it's easier to select whom to allow access would be good. There are few applications that need granular user level security like this in any case -- usually groups or roles is an easier way to apply security.
(which really actually has me curious about what Evan's use case is, but that's a question for another day....)