Introduction to Protected file module on Drupal 8

lock on a grid

Drupal 8 has several solutions and methods to manage access rights on each elements included in a content, and this in a very granular way. Enabling view or edit access on some field included in a content type can be achieved very simply, with a few lines of code, or with the Field Permissions module. We can use this module to allow certain roles to view or update a particular field.

The problem with the case of documents associated with content is slightly different. You may want to let view rights to a document or file attached (via a File field) to a content while controlling the rights to be able to download this document. In other words, you can want to manage the rights to download a file while allowing its visualization (and so its existence).

This is where the Protected file module answers. This module allows to define, for each attached file, if downloading it is publicly accessible or if it requires a particular role. In the case of a protected file, the module then presents an alternate link (configurable, for example the link to the authentication page) instead of the download link.

Let's discover this module.

Prerequisites for the installation of the module

In order to control access to files, this module can only work if the site has a private file system configured. In fact, files stored on the Drupal public file system are accessible directly from the Web server, and consequently Drupal can not control access rights to these files.

Using the module

The Protected file module provides a new field type called ... Protected file. This new field type extends the File field type provided by Drupal core and is almost similar in terms of configuration. To enable file access control, we need to add a new field to our content.

Configuring the Protected file

Let's add a Protected file field to our article content type.

Ajour du champ


And we can configure its storage settings.


Paramètres de stockage du champ

We note that the private file system is automatically selected and locked. We configure the field for an unlimited number of files.

Then we configure the parameters of the instance of this field on the content type Article on which we created it.

Paramètres du champ

We configure the various parameters, which are identical to those of a standard File field type (allowed extensions, upload directory, maximum file size, etc.).

Configuring Display Settings for the Protected File Field

We configure the display settings for our new field.

Paramètres d'affichage du champ

We have several options. We can :

  • Choose to open the file in a new tab or not
  • Configure the url that will replace the file's download url, if the user does not have sufficient access rights.
  • Choose to open the previously defined url in a modal window, or not
  • Define the message that will feed the title tag of the link set above. This message is provided as a variable to the template for rendering the links and can therefore be displayed directly with a simple override of the template in your theme

Configuring permissions

All you have to do is to set the permissions according your needs.

Permissions protected file

And the configuration is complete. We can now publish content and associated documents, protected or not.

Enabling Download Protection

Using the module is really simple. In the content creation / editing form, we can, for each file uploaded, activate or not this protection, by checking the corresponding checkbox.

Formulaire d'ajout des fichiers

And with the result : an authenticated user can access to the files download links.

Fichiers protégés téléchargeables

And for anonymous visitors

Fichiers protégés

In this example above, the download link of the PDF file example 1 has been replaced by the url that we defined in the display settings (/user/login). And a click on the protected file opens a modal window on this page.

Fenêtre modal de login

The Protected file module allows users to simply control access to the documents provided in a content. It should be noted that direct download links, sent by e-mail, for example, by an authenticated user, are also managed, and require the same access rights.



Ajouter un commentaire