There should be a way to allow image style derivatives of private images to be stored on the public file system.
There are many situations one can think of, where one would like to keep the original photos private but does not bother to make derivatives of it private as well. Think of thumbnails; watermarked and scaled down versions; or scaled down derivatives with lower color depth.
Advantages would be that a full Drupal bootstrap is avoided for these derivatives and that there is no need to install contrib or custom access modules to handle access to these derivatives.
Risk is that people oversee that in doing so, ALL private images can be accessed via a public derivative as there is no way to restrict this to only images stored in some fields.
Original report
Hello,
I am using Drupal as a photo gallery purposes. During building up a site I ended up in deadlock, concerning permissions (public or private file system) of image files and derivatives of them for various purposes.
I explain the whole problem in module ImageCache Actions issues: http://drupal.org/node/1863720
In short, first I have requested a feature for ImageCache Actions, to be able to create any new derivatives of image with different file system than the original. But as the posts reveal, this leads to drupal core, probably file system (at least so I believe)?
This should solve a problem:
If I use private filesystem for images, also the (derivated) thumbnails are created to private filesystem, and that leads to a unnecessary performance issue, because all of the thumbnails involve "drupal bootstrap" before they are sent to the browser. That is a performance problem. Can't do.
If I use public filesystem for images, then all the images are.... public. Also the original, which _must_ be protected. Even if I use only derivated versions in webpage, the originals are still easily accessible by doing a little bit of URL hacking (just by cutting some characters off from the URL). And that is security problem. Can't do.
I am speaking of photo works with quite lot of hours invested to each of them, so it is really important thing to make sure the originals don't get leaked out from the site.
Now, what I am requesting, is something what you could offer for the module makers, concerning the selection between private and public filesystem, when module does some derivated version of file in node.
If you read the issue in the ImageCache Actions page above, I believe you will easily see what is the problem here. I believe it must be in file system part of Drupal, where should be some sort of possibility to select more carefully the permissions of the new, derivated version of a file.
Automated image handling processes are very important when trying to do well working photo gallery (for both the admin and the viewers).
I'm not a programmer at all, so I apologize if the request doesn't make any sense in technically speaking, but I hope you could read the explanation linked above.