Drupal File Access for Specific User Roles Only

drupal file access role

By default, Drupal file fields have very limited permission options.

So, if you want to make some files available only to certain user groups, you’ll need an extra module.

For some simple examples, we recommend the Private files download permission module.

In this tutorial, we’ll show you how to use that module to allow only logged-in users to download a file.

  • Go to Configuration > File system.
  • Here you can enter a folder which is only for private files. This means that files in this folder will not be publicly available on the internet.

Some notes on this folder for private files:

  • You will have to create this folder manually. Drupal will tell you if there are any problems with this folder.
  • You must also click “more information about securing private files“. That page will give you instructions on making sure your folder is private.

Now you can set up added permissions for your files.

  • Install the Private files download permission module.
  • Enter a path for this set of file uploads. In this example I used “loggedin_files” because that folder will be for files accessible only to logged in users.
  • Under “Enabled Users” and “Enabled Roles”, choose who can download these files.
  • Go to Structure > Content types > Manage fields
  • Create a new field using the “File” type.
  • Enter the file directory that you choose in the previous step:
  • Save the field.
  • Create a test content item using the File field:
  • Logged in users should now be able to see and access the file.
  • Visitors who are not logged in will be able to see the file, but when they click on it, they’ll get an “Access denied” message:


  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Article Rating
Notify of

Newest Most Voted
Inline Feedbacks
View all comments
9 years ago


You don’t have permission to access /sites/default/files/private/filename.txt on this server.

I’ve recieved this message for every user with every permission including admin!

Feroze Ahmed
Feroze Ahmed
3 years ago
Reply to  shekoufeh

Same for me. Any solution of this problem?

Pathirakaliappan T
Pathirakaliappan T
9 years ago

Ohh..! thanks, you saved my time.

Vinothkumar Ravi
Vinothkumar Ravi
5 years ago

After the above configuration updated on my Drupal8 setup, authenticated users not able to access/download the file and only admin able to access.

Feroze Ahmed
Feroze Ahmed
3 years ago


I have a custom form with managed_file field for video upload in my custom drupal 8 module. Once video uploaded, it is accessible to everyone. I want to restrict access for logged in users only or role wise access. I tried “Private Files Download Permission” module but it always says forbidden for everyone. I have added private path for upload location.

$form[‘activity’][‘videos’] = [
    ‘#type’                => ‘managed_file’,
    ‘#upload_location’      => ‘private://activity/videos/’,
    ‘#multiple’            => TRUE,
    ‘#description’          => t(‘Allowed extensions: mp4 avi’),
    ‘#title’ => t(‘Upload Video’),
    ‘#upload_validators’    => [
      ‘file_validate_extensions’    => array(‘mp4 avi’)
    ‘#weight’ => ‘3’,
    ‘#ajax’ => [
        ‘callback’ => ‘::fix_ajax_callback’,
    ‘#disabled’ => (!empty($activity))? TRUE : FALSE,

3 years ago

How can I restrict to Own Content and a specific role because currently its looking like any loged in user with the same role can access another user’s file even if they are not the owner and their role is not supposed to access. Drupal 9

Would love your thoughts, please comment.x