Restrict File Download with Node Gallery Access

In a recent project I used Node Gallery and Node Gallery Access to create password protected image galleries that did not require a user to register an account at the site. These two modules did exactly that. However, when viewing the files directly (e.g, yoursite.com/path/to/file.png) there were no access restrictions in place. So if anyone found out the file name they could download the restricted image.

To remedy the lack of access restrictions on the individual files, I came up with the following:

  • Enable the 'Private' download method under 'admin/settings/file-system' and
  • Use hook_file_download()

hook_file_download() snippet

<?php
/**
 * Implementation of hook_file_download().
 */
function custommodule_file_download($filepath){
   
// redirect user if filepath is part of a gallery
   
$sql = 'SELECT d.access_type FROM {files} a '
       
. 'LEFT JOIN {content_type_node_gallery_image} AS b ON a.fid = b.field_node_gallery_image_fid '
       
. 'LEFT JOIN {node_gallery_images} AS c ON b.nid = c.nid '
       
. 'LEFT JOIN {node_gallery_access} AS d ON c.gid = d.nid '
       
. 'WHERE a.filename = "%s"';
   
$result = db_fetch_object(db_query($sql,$filepath));
    if(
$result->access_type) return -1;
    else return
NULL;
}
?>
Categories: 

2 comments

by david (not verified) on Mon, 10/31/2011 - 02:00

How do we add a counter or a ip address restriction to the above snippet? I want to restrict members from downloading the file multiple times and prevent hotlinking to the file. The counter is to prevent my bandwidth

----------------------------------------
http://www.squidoo.com/what-i-would-want-in-a-notepad-editor - notepad for sql

by gbrands on Thu, 01/12/2012 - 10:33

Hi David,

You would have to keep track of the users who downloaded the file with another table. Then you would query that table to see if the user has already downloaded the file. As far as IP Restriction, you can probably just use the $_SERVER['REMOTE_ADDR'] variable to restrict based on IP.

Hope this helps!

Restrict File Download with Node Gallery Access | Gerrit Brands

Error message

  • Warning: Cannot modify header information - headers already sent by (output started at /homepages/29/d196880538/htdocs/drupal7/includes/common.inc:2681) in drupal_send_headers() (line 1212 of /homepages/29/d196880538/htdocs/drupal7/includes/bootstrap.inc).
  • PDOException: SQLSTATE[42000]: Syntax error or access violation: 1142 INSERT command denied to user 'dbo354826752'@'74.208.16.6' for table 'watchdog': INSERT INTO {watchdog} (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (:db_insert_placeholder_0, :db_insert_placeholder_1, :db_insert_placeholder_2, :db_insert_placeholder_3, :db_insert_placeholder_4, :db_insert_placeholder_5, :db_insert_placeholder_6, :db_insert_placeholder_7, :db_insert_placeholder_8, :db_insert_placeholder_9); Array ( [:db_insert_placeholder_0] => 0 [:db_insert_placeholder_1] => cron [:db_insert_placeholder_2] => Attempting to re-run cron while it is already running. [:db_insert_placeholder_3] => a:0:{} [:db_insert_placeholder_4] => 4 [:db_insert_placeholder_5] => [:db_insert_placeholder_6] => http://gerritbrands.com/blog/restrict-file-download-node-gallery-access [:db_insert_placeholder_7] => [:db_insert_placeholder_8] => 54.156.92.46 [:db_insert_placeholder_9] => 1503039593 ) in dblog_watchdog() (line 154 of /homepages/29/d196880538/htdocs/drupal7/modules/dblog/dblog.module).

Error

The website encountered an unexpected error. Please try again later.