Allow image style derivatives of private images to be stored on the public file system

Created on 30 January 2013, almost 12 years ago
Updated 12 January 2024, 11 months ago

There should be a way to allow image style derivatives of private images to be stored on the public file system.

There are many situations one can think of, where one would like to keep the original photos private but does not bother to make derivatives of it private as well. Think of thumbnails; watermarked and scaled down versions; or scaled down derivatives with lower color depth.

Advantages would be that a full Drupal bootstrap is avoided for these derivatives and that there is no need to install contrib or custom access modules to handle access to these derivatives.

Risk is that people oversee that in doing so, ALL private images can be accessed via a public derivative as there is no way to restrict this to only images stored in some fields.

Original report

Hello,

I am using Drupal as a photo gallery purposes. During building up a site I ended up in deadlock, concerning permissions (public or private file system) of image files and derivatives of them for various purposes.

I explain the whole problem in module ImageCache Actions issues: http://drupal.org/node/1863720

In short, first I have requested a feature for ImageCache Actions, to be able to create any new derivatives of image with different file system than the original. But as the posts reveal, this leads to drupal core, probably file system (at least so I believe)?

This should solve a problem:

If I use private filesystem for images, also the (derivated) thumbnails are created to private filesystem, and that leads to a unnecessary performance issue, because all of the thumbnails involve "drupal bootstrap" before they are sent to the browser. That is a performance problem. Can't do.

If I use public filesystem for images, then all the images are.... public. Also the original, which _must_ be protected. Even if I use only derivated versions in webpage, the originals are still easily accessible by doing a little bit of URL hacking (just by cutting some characters off from the URL). And that is security problem. Can't do.

I am speaking of photo works with quite lot of hours invested to each of them, so it is really important thing to make sure the originals don't get leaked out from the site.

Now, what I am requesting, is something what you could offer for the module makers, concerning the selection between private and public filesystem, when module does some derivated version of file in node.

If you read the issue in the ImageCache Actions page above, I believe you will easily see what is the problem here. I believe it must be in file system part of Drupal, where should be some sort of possibility to select more carefully the permissions of the new, derivated version of a file.

Automated image handling processes are very important when trying to do well working photo gallery (for both the admin and the viewers).

I'm not a programmer at all, so I apologize if the request doesn't make any sense in technically speaking, but I hope you could read the explanation linked above.

Feature request
Status

Closed: duplicate

Version

8.0 ⚰️

Component
Image system 

Last updated 34 minutes ago

Created by

🇫🇮Finland potatosauce

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇬🇧United Kingdom fonant

    I'd find this useful for a couple of customer sites.

    Uploaded full-scale unwatermarked images: private
    Derived small-scale and/or watermarked images: public

    It's possible to modify the permissions system to give anonymous users access to private derived images for certain styles, but for a site with lots of images it's process-intensive to check permissions for every image. Much better to store the derived images in the public filesystem, so they can be served direct by the web server without needing to bootstrap Drupal for every one.

Production build 0.71.5 2024