Drupal 8 has several solutions and methods to manage access rights on each elements included in a content, and this in a very granular way. Enabling view or edit access on some field included in a content type can be achieved very simply, with a few lines of code, or with the Field Permissions module. We can use this module to allow certain roles to view or update a particular field.
The problem with the case of documents associated with content is slightly different. You may want to let view rights to a document or file attached (via a File field) to a content while controlling the rights to be able to download this document. In other words, you can want to manage the rights to download a file while allowing its visualization (and so its existence).
This is where the Protected file module answers. This module allows to define, for each attached file, if downloading it is publicly accessible or if it requires a particular role. In the case of a protected file, the module then presents an alternate link (configurable, for example the link to the authentication page) instead of the download link.
Let's discover this module.
Prerequisites for the installation of the module
In order to control access to files, this module can only work if the site has a private file system configured. In fact, files stored on the Drupal public file system are accessible directly from the Web server, and consequently Drupal can not control access rights to these files.
Using the module
The Protected file module provides a new field type called ... Protected file. This new field type extends the File field type provided by Drupal core and is almost similar in terms of configuration. To enable file access control, we need to add a new field to our content.
Configuring the Protected file
Let's add a Protected file field to our article content type.
And we can configure its storage settings.
We note that the private file system is automatically selected and locked. We configure the field for an unlimited number of files.
Then we configure the parameters of the instance of this field on the content type Article on which we created it.
We configure the various parameters, which are identical to those of a standard File field type (allowed extensions, upload directory, maximum file size, etc.).
Configuring Display Settings for the Protected File Field
We configure the display settings for our new field.
We have several options. We can :
- Choose to open the file in a new tab or not
- Configure the url that will replace the file's download url, if the user does not have sufficient access rights.
- Choose to open the previously defined url in a modal window, or not
- Define the message that will feed the title tag of the link set above. This message is provided as a variable to the template for rendering the links and can therefore be displayed directly with a simple override of the template in your theme
All you have to do is to set the permissions according your needs.
And the configuration is complete. We can now publish content and associated documents, protected or not.
Enabling Download Protection
Using the module is really simple. In the content creation / editing form, we can, for each file uploaded, activate or not this protection, by checking the corresponding checkbox.
And with the result : an authenticated user can access to the files download links.
And for anonymous visitors
In this example above, the download link of the PDF file example 1 has been replaced by the url that we defined in the display settings (/user/login). And a click on the protected file opens a modal window on this page.
The Protected file module allows users to simply control access to the documents provided in a content. It should be noted that direct download links, sent by e-mail, for example, by an authenticated user, are also managed, and require the same access rights.