This is almost certainly a really stupid question, but the Drupal 7 site we're building has an image gallery that users can upload content to. Unauthenticated users should not be able to see these images, but some other rxc3xb4les should be able to see all the images uploaded by other users. The way we first built it, images all show up from a directory below the webroot, so anyone can see the image, if they know the URL.
I thought Private files would be my solution, so I followed the instructions there, setting up a folder in our filesystem (above the webroot, so you can only get there via Drupal) and changing the field settings within the appropriate content type to use Private files as the Upload destination and then went to set a bunch of Custom permissions, so that the appropriate users have "View anyone's value for field Image" (and so on) but that Anonymous users don't.
Then I cleared all the caches and went to upload a new image. If I go to the node page and right click to get the image URL, though, pasting that into an Anonymous Browser Mode window still shows me the image.
So I figured maybe I just needed something more fine-grained or that I'd implemented it wrong.
So I enabled the Content Access module and went back to the appropriate Content type and set the Access Control settings so that only the appropriate rxc3xb4les can "View any gallery_image content" (and so on). Clearing the caches, uploading another new image, I can still grab the URL and see it from a new Anonymous Browser Mode window.
Now the Private files thing seems to be doing the right thing xe2x80x94 the image URL is now
/system/files/styles/image_thumbnail/private/gallery/images/filename.jpg and the files are appearing in the right part of the filesytem, but Drupal doesn't seem to be respecting the access control xe2x80x94 or even just requiring that you log in.
Presumably I've done something wrong somewhere, as it seems like I'm implementing the right thing and I've just made a mistake somewhere. So is there an obvious step I'm missing?
Update: The hosting environment is RedHat Linux and we don't allow
.htaccess files (we're developing the site, a third-party is responsible for security, so they would rather everything go into the
httpd.conf instead). This is part of why I deliberately close a directory above the webroot, so that a
.htaccess file would not be necessary. I do notice, though, that if I try to access
/system/files/styles/image_thumbnail/private/gallery/images/ in a browser, I get a Drupal 403 message, not the apache one.