Sharing Files via Drupal: Methods, Pros/Cons, Alternatives

Sharing Files via Drupal: Methods, Pros/Cons, Alternatives kp37
Drupal Version

File Management Basics

At some point, you or your content manager will have a need to share files via your unit's Drupal website, but what is the right way to do this?

Cloud Storage Options

In general, Drupal, like any modern content management system (CMS) should not be used as a substitute for a file sharing application.  If you need to simply share files with others in your unit (or even others anywhere at Georgia Tech but not publicly), you should use one of OIT's approved file sharing offerings, which include:

  • Microsoft OneDrive
  • Dropbox
  • Box

Please see OIT's Cloud Storage Offerings FAQ for details on each of these services.


An intranet is a private website/service where you can store both files and other content solely for the use of your unit.  An intranet is an excellent tool for letting members of your unit share with each other while keeping others out.

The quickest way to build an intranet is to use Microsoft Teams / SharePoint.  The easy path is to simply create a Team for your unit, which automatically creates much of the SharePoint backend for you.  If you need more power than what Teams provides on its own, you can delve into the SharePoint side of the system to see what it offers.

You could build a Drupal site as an intranet, site, but to be secure this should always be a separate site from your unit's public website.  This is because configuring a Drupal site for both public and private content is very tricky and not doing it right could expose private information to the world.  Plus, the best protection for an Intranet is wrapping the entire site in authentication based security, and possibly also wrapping the entire site in firewall rules to limit access to campus and the Georgia Tech VPN.

File Storage with a Public Drupal Site

There are times when a content manager desires to present public web pages with links to files that support the page content.  Drupal, like most content management systems, has support for this, and Drupal built-in mechanisms work well for files that are meant to be accessible to the world.  Campus websites installed using Drupal Express offer built-in image file management and provide a file upload field connected with each page for uploading non-image content (PDFs, office documents, etc.)

About the only issue here is with multimedia content (videos), which tend to be so large that they are best housed on a streaming media service, like MediaSpace, which also provides the benefit of letting the user quickly access the parts of the file they want to view instead of having to download the entire media file when they only want to see a small part of it.

Managing Limited Access Files

Somewhere between the intranet option and the fully public option lies the need to offer web pages that are public, but which link to files that should only be available to Georgia Tech community members.  This kind of configuration is fraught with challenges and should be approached with great care, so as to avoid creating the unintended illusion of security when there actually is none.  Whenever possible, consider the options above first, and try to avoid putting campus-only files onto websites that are otherwise open to the world.

Public versus Private Filesystems

It is important to understand that by default, Drupal does not serve the files that you upload to it - rather, it lets the Apache HTTPD web server deliver those files itself, speeding up the process.  Because of this, access limiting modules do nothing to protect these files.  Protections applied to normal file paths are simply ignored, because Drupal never handles the processing of those paths.

To have any real security for files uploaded to Drupal, you have to first configure a private filesystem for your Drupal site, then add a new file field to your page content type(s) so that you can make use of that private filesystem.  Once this is in place, you can look at methods of securing those files.

Securing a Private Filesystem

A private filesystem by itself is still open to the world, but has the potential to be locked down.  Most any path/route based access control module could be applied to the paths of a private filesystem, but which module is the best?

Authentication Based Security (e.g. CAS / GT User Account)

Since all campus Drupal sites built from Drupal Express include CAS based authentication, this is an easy option to use, but it comes with a caveat.  You implement CAS protection by defining paths (routes) that require site login for access, then enable the automatic creation of new user accounts.  Then, anyone with a GT Account can log into your site in order to access the protected pages or files.  Theoretically there is no security issue with doing this, but you have to make certain that there is nothing in your site available to the built-in "Authenticated User" role that you don't want everyone in the Georgia Tech community to be able to see.  Thus, you need to scrutinize your site permissions for the "Authenticated User" role on a regular basis.

Another issue is that a large number of people have GT Accounts - many you would not think about: contractors, applicants, affiliates, etc.  Even guest user accounts are technically GT Accounts and could access your content.  So, if you really only want faculty and students to access certain content, a simple CAS based protection is really not enough.

Finally, be aware that every campus user who accesses one of your CAS protected pages or files will end up with a user account on your Drupal site, and in time this can really clutter up your site's user account list, making it harder to do security audits and manage the real users of your site.

For all of these reasons, consider all other options before simply going with authentication based security.

Firewall / Location Based Security (Campus and VPN Only Access)

A Drupal module like "Access Filter" will allow you to restrict path (route) access to a fixed set of IP addresses.  (IP addresses are unique numbers that identify each device connected to the internet anywhere in the world).  By configuring Access Filter rules with the campus and VPN IP address ranges of Georgia Tech, you effectively prevent anyone else from being able to access the files or pages protected by those rules.

Please note that since anyone with a GT Account can now use the Georgia Tech VPN, the scope of user access for this option is the same as with authentication based security: people like contractors, applicants, and guests can still get to your protected content. The upside to this approach is that it is mostly a hands-off approach: there is no need to open up your site to forced logins and automatic account creation, and thus your site user account list does not get cluttered with random user accounts.

While configuring Access Filter is more technical in nature than configuring CAS for forced logins, we have put together a step-by-step guide to configuring Access Filter for Campus and VPN Only Access to make it as easy as possible.

Alternatives to a Drupal Filesystem

It may seem attractive to just leave Drupal out of the equation and store your campus-only (or other limited access files) on another service and then link to them from Drupal.  This is a good idea in theory, but many of the rules implemented for our approved campus file sharing systems can get in the way:

  • Links generated to files on file sharing services (OneDrive particularly) can expire, and in some cases you cannot disable the expiration; for files you want around indefinitely, this can be problematic

  • With some file sharing services, files can disappear if the owner of the file (the person who uploaded the file) leaves Georgia Tech; ideally files should be uploaded in a way where they are attached permanently to a unit (via some kind of "group") rather than to an individual employee

The option with the best longevity seems to be Microsoft Teams / SharePoint, but it is also the most complicated option to learn.  It is probably a good idea for an IT Support technician to get such an option set up properly and then train the unit's content manager(s) on how to use it properly.

Creating a Private Filesystem on OIT Web Hosting

Creating a Private Filesystem on OIT Web Hosting
Drupal Version

Setting up a private filesystem requires some under-the-hood configuration, so the following is recommended only for someone who already understands filesystems and editing configuration files.

These instructions are tailored for the OIT Web Hosting Plesk servers, but can be adapted to other configurations. Instructions are based on using the Plesk GUI, but you can also accomplish all of the Plesk related steps from an SSH connection if you are more comfortable in a command line environment.


  1. Connect to your hosting account's Plesk console.

  2. Go to the File Manager

  3. Create a new subdirectory for your private files

    1. On the first File Manager screen, select Home Directory to move to your hosting account's home directory.

    2. Select the blue "+" button to the left of the "Copy", "Move", "Archive", etc. buttons, and select Create Directory.

    3. Give your new directory a suitable name (these instructions will call it "files-private").

  4. Edit your site's settings.php file

    1. In File Manager, navigate into httpdocs/sites/default

    2. Find "settings.php" and use the drop-down selection at the right end of the line to Change Permissions.  Give "Owner" the "Write" permission and save.

    3. Use the drop-down on the "settings.php" line to Edit in Code Editor

    4. Search for "Private file path" and read the instructions there.

    5. Uncomment the line of code that sets the "file_private_path" value, and fill in the value like so: /var/www/vhosts/

      • Important: "" should be replaced with your hosting account ID, which is the domain name shown when you first open your Plesk control panel - this may not always be the domain name you normally use to access your site.  Also, "files-private" should be the directory you created in step 3 above.

  5. Save your changes, then open a new browser window, log into your site as an administrator, and clear all of the caches.

  6. Go to the site Status Report (administrative toolbar -> Reports -> Status report and make sure there are no errors.  Also go to Reports -> Recent log messages and look for any error or warning messages there.

If all looks good, then move on to the next section.  Otherwise, troubleshoot any problems first.

Create a Private Attachments Field

  1. While logged into your site as an administrator, go to Structure -> Content types -> Basic page -> Manage fields

  2. Create a new field of type File and call it something like "Secure Attachments" or "Private Attachments" to distinguish it from the existing "Attachments" field.  Specify a subdirectory value like "campusonly" (or perhaps "campusonly/[date:custom:Y]-[date:custom:m]" if you want files organized in further subdirectories based on the month they were uploaded).  Configure the rest of the field as you wish, making sure you set the file size limit and allowed file extensions to meet your needs.

  3. If you are going to apply any kind of access restrictions to some or all of your private filesystem, then you will need to know the system path you want to protect, which is different from the path you put into the settings.php file earilier.

    1. The base system path for the private filesystem in Drupal is "/system/files".  Adding any rules for this base path will restrict all private files in all use cases, which may be more than you need.

    2. When you created your Secure Attachments field, you specified a subdirectory.  To protect just the files connected to that field, add the subdirectory to the base path to get the full system path for that subdirectory (e.g. "/system/files/campusonly")  Adding rules for this path will only protect files in the "/campusonly" subdirectory of the private filesystem while ignoring all other private files.

Using Access Filter to Limit Files to Campus and the VPN

Using Access Filter to Limit Files to Campus and the VPN kp37
Drupal Version

A Drupal module called Access Filter combined with a private filesystem can be used to limit file access to campus and VPN IPs only.  For most cases, that's just as good as using forced logins via CAS authentication without the headaches of having a user account created on your Drupal site for every person who accesses one of your protected pages or files.

Important: Drupal access control modules will only work with a private filesystem, as Drupal does not actually handle access requests for files uploaded to public file fields (it lets Apache handle those requests for maximum speed).  If you do not already have a private filesystem set up, you will need to configure your site to use a private filesystem.

Instructions for Installing and Configuring Access Filter

  1. Configure your site with a private filesystem and make sure it is working correctly.

  2. Install the Access Filter module like you would any other Drupal module.

  3. Once you have the module installed, go to the Administrative Toolbar, to Configuration -> People -> Access filters and create a new filter with the following components:

    - { type: path, path: /system/files/campusonly/* }
    - { type: ip, action: deny, address: '*' }
    - { type: ip, action: allow, address: }
    - { type: ip, action: allow, address: }
    - { type: ip, action: allow, address: }
    - { type: ip, action: allow, address: }
    - { type: ip, action: allow, address: }
    - { type: ip, action: allow, address: }
    - { type: ip, action: allow, address: }
    Repsonse Code:
    Redirect URL:

    Make sure that path in the condition matches up with the path that your Secure File field is using, so that the rule will apply to all files uploaded to that field.

  4. Finally, make a generic page at the path "/campusonly" that will tell outside users that the content they're trying to access is available on-campus or via the VPN only.

Now, any regular content manager can simply upload campus-only files to the Secure File field (created when setting up a private filesystem) on the related page and then link to the file like they would do for a normal file attachment. When accessed from on-campus or the VPN, the user simply gets the file. When accessed from off-campus, the user gets redirected to that /campusonly page.