By default, Drupal file fields have very limited permission options.
So, if you want to make some files available only to certain user groups, you’ll need an extra module.
For some simple examples, we recommend the Private files download permission module.
In this tutorial, we’ll show you how to use that module to allow only logged-in users to download a file.
- Go to Configuration > File system.
- Here you can enter a folder which is only for private files. This means that files in this folder will not be publicly available on the internet.
Some notes on this folder for private files:
- You will have to create this folder manually. Drupal will tell you if there are any problems with this folder.
- You must also click “more information about securing private files“. That page will give you instructions on making sure your folder is private.
Now you can set up added permissions for your files.
- Install the Private files download permission module.
- Enter a path for this set of file uploads. In this example I used “loggedin_files” because that folder will be for files accessible only to logged in users.
- Under “Enabled Users” and “Enabled Roles”, choose who can download these files.
- Go to Structure > Content types > Manage fields
- Create a new field using the “File” type.
- Enter the file directory that you choose in the previous step:
- Save the field.
- Create a test content item using the File field:
- Logged in users should now be able to see and access the file.
- Visitors who are not logged in will be able to see the file, but when they click on it, they’ll get an “Access denied” message: