Drupal 7, only registered users can view on node but anyone can download via link, htaccess issue?

I have files attached to custom content type, I have the field set up to be a private download. I also have field permissions so only registered users who sign up ( auto role assignment too ) can view the download link on the node page. This works fine, Admin and the users under a specific role can see the file to download but my problem is that anyone can get a copy the link i.e. http://develop.ment/system/files/test/SuperSecret.txt and can down the file with no issues or need to register.

Do i need a module to restrict the access or even a .htaccess rule to stop the file being accessed/download unless it is done through a logged in user from the drupal node?

It seems stupid to h开发者_高级运维ave such restrictions available through drupal yet anyone can easily download the file no matter what permissions i set.

So guys, what am i missing? It seems like a .htaccess hack would fix this i just don't know how or where to start. Oh and the files are store in /var/www/vhosts/develop.ment/private where as the Document Root is actually develop.ment/httpdocs, does this effect the problem? It just seems safer to have private downloads stored outside of the DocRoot.

You should use the imce module for download purposes. it enables you to have your private files (ie. file which access are restricted by an autogenerated .htaccess) served by drupal itself not from apache.

Then configure IMCE by role to define access rights.

There was actually a serious security bug, fixed in Drupal 7.1 and 7.2. See the section Access bypass in File module in SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities.

My Drupal installation is at 7.2. I use the Content Access module to control access to individual nodes. If I set the access control so that a node is viewable only by authenticated users, then an attached private file (in my case, an image field) is also visible only to authenticated users. An anonymous user cannot access the file by giving the http://example.com/system/files/some-image.jpg directly. If I make the node viewable by anyone, then that URL becomes directly accessible again.

You are using Field Permissions, not Content Access. I haven't tested that case, but you can upgrade to 7.1 or 7.2 and see if it does work after that.