File Management Basics
At some point, you or your content manager will have a need to share files via your unit's Drupal website, but what is the right way to do this?
Cloud Storage Options
In general, Drupal, like any modern content management system (CMS) should not be used as a substitute for a file sharing application. If you need to simply share files with others in your unit (or even others anywhere at Georgia Tech but not publicly), you should use one of OIT's approved file sharing offerings, which include:
- Microsoft OneDrive
Please see OIT's Cloud Storage Offerings FAQ for details on each of these services.
An intranet is a private website/service where you can store both files and other content solely for the use of your unit. An intranet is an excellent tool for letting members of your unit share with each other while keeping others out.
The quickest way to build an intranet is to use Microsoft Teams / SharePoint. The easy path is to simply create a Team for your unit, which automatically creates much of the SharePoint backend for you. If you need more power than what Teams provides on its own, you can delve into the SharePoint side of the system to see what it offers.
You could build a Drupal site as an intranet, site, but to be secure this should always be a separate site from your unit's public website. This is because configuring a Drupal site for both public and private content is very tricky and not doing it right could expose private information to the world. Plus, the best protection for an Intranet is wrapping the entire site in authentication based security, and possibly also wrapping the entire site in firewall rules to limit access to campus and the Georgia Tech VPN.
File Storage with a Public Drupal Site
There are times when a content manager desires to present public web pages with links to files that support the page content. Drupal, like most content management systems, has support for this, and Drupal built-in mechanisms work well for files that are meant to be accessible to the world. Campus websites installed using Drupal Express offer built-in image file management and provide a file upload field connected with each page for uploading non-image content (PDFs, office documents, etc.)
About the only issue here is with multimedia content (videos), which tend to be so large that they are best housed on a streaming media service, like MediaSpace, which also provides the benefit of letting the user quickly access the parts of the file they want to view instead of having to download the entire media file when they only want to see a small part of it.
Managing Limited Access Files
Somewhere between the intranet option and the fully public option lies the need to offer web pages that are public, but which link to files that should only be available to Georgia Tech community members. This kind of configuration is fraught with challenges and should be approached with great care, so as to avoid creating the unintended illusion of security when there actually is none. Whenever possible, consider the options above first, and try to avoid putting campus-only files onto websites that are otherwise open to the world.
Public versus Private Filesystems
It is important to understand that by default, Drupal does not serve the files that you upload to it - rather, it lets the Apache HTTPD web server deliver those files itself, speeding up the process. Because of this, access limiting modules do nothing to protect these files. Protections applied to normal file paths are simply ignored, because Drupal never handles the processing of those paths.
To have any real security for files uploaded to Drupal, you have to first configure a private filesystem for your Drupal site, then add a new file field to your page content type(s) so that you can make use of that private filesystem. Once this is in place, you can look at methods of securing those files.
Securing a Private Filesystem
A private filesystem by itself is still open to the world, but has the potential to be locked down. Most any path/route based access control module could be applied to the paths of a private filesystem, but which module is the best?
Authentication Based Security (e.g. CAS / GT User Account)
Since all campus Drupal sites built from Drupal Express include CAS based authentication, this is an easy option to use, but it comes with a caveat. You implement CAS protection by defining paths (routes) that require site login for access, then enable the automatic creation of new user accounts. Then, anyone with a GT Account can log into your site in order to access the protected pages or files. Theoretically there is no security issue with doing this, but you have to make certain that there is nothing in your site available to the built-in "Authenticated User" role that you don't want everyone in the Georgia Tech community to be able to see. Thus, you need to scrutinize your site permissions for the "Authenticated User" role on a regular basis.
Another issue is that a large number of people have GT Accounts - many you would not think about: contractors, applicants, affiliates, etc. Even guest user accounts are technically GT Accounts and could access your content. So, if you really only want faculty and students to access certain content, a simple CAS based protection is really not enough.
Finally, be aware that every campus user who accesses one of your CAS protected pages or files will end up with a user account on your Drupal site, and in time this can really clutter up your site's user account list, making it harder to do security audits and manage the real users of your site.
For all of these reasons, consider all other options before simply going with authentication based security.
Firewall / Location Based Security (Campus and VPN Only Access)
A Drupal module like "Access Filter" will allow you to restrict path (route) access to a fixed set of IP addresses. (IP addresses are unique numbers that identify each device connected to the internet anywhere in the world). By configuring Access Filter rules with the campus and VPN IP address ranges of Georgia Tech, you effectively prevent anyone else from being able to access the files or pages protected by those rules.
Please note that since anyone with a GT Account can now use the Georgia Tech VPN, the scope of user access for this option is the same as with authentication based security: people like contractors, applicants, and guests can still get to your protected content. The upside to this approach is that it is mostly a hands-off approach: there is no need to open up your site to forced logins and automatic account creation, and thus your site user account list does not get cluttered with random user accounts.
While configuring Access Filter is more technical in nature than configuring CAS for forced logins, we have put together a step-by-step guide to configuring Access Filter for Campus and VPN Only Access to make it as easy as possible.
Alternatives to a Drupal Filesystem
It may seem attractive to just leave Drupal out of the equation and store your campus-only (or other limited access files) on another service and then link to them from Drupal. This is a good idea in theory, but many of the rules implemented for our approved campus file sharing systems can get in the way:
Links generated to files on file sharing services (OneDrive particularly) can expire, and in some cases you cannot disable the expiration; for files you want around indefinitely, this can be problematic
- With some file sharing services, files can disappear if the owner of the file (the person who uploaded the file) leaves Georgia Tech; ideally files should be uploaded in a way where they are attached permanently to a unit (via some kind of "group") rather than to an individual employee
The option with the best longevity seems to be Microsoft Teams / SharePoint, but it is also the most complicated option to learn. It is probably a good idea for an IT Support technician to get such an option set up properly and then train the unit's content manager(s) on how to use it properly.