Prevent embedded content from anonymous users

Open on Drupal.org →

Created on 28 June 2021, about 4 years ago

Updated 7 August 2025, 5 days ago

Problem/Motivation

Currently H5P content is visible if it is viewed through the embed URL address.
Is it possible to "enable" the drupal user permissions also to these embed URLs, so that if role x does not have permission to
view the content which has h5p field, then also the embed urls would not work?

So currently it is not possible to create confidential H5P content because it is so easily accessible using these urls?

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

✨ Feature request

Status

Active

Component

Code

Created by

🇫🇮Finland jukka792

Live updates comments and jobs are added and updated live.

Incomplete comments

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 5 days ago →
🇺🇸United States illeace
I think this is a nice idea, but here are a few things to consider:

Since the primary purpose of the embed feature is to use these H5P with external sites (like LMSs), we would want to preserve the default behavior of having these publicly visible (so we don't break existing installs)

Adding the option to apply Drupal permissions to those embed paths sounds relatively straightforward

...but, all the individual *.h5p files that live in /sites/default/files/h5p/exports/ (i.e., in the public files directory) are going to be downloadable regardless, and they have very guessable names.

So, if the goal is to really protect the content of the H5Ps from anonymous users, then this becomes a bigger challenge.
Comment 5 days ago →
🇺🇸United States frob US
Adding a related issue
Comment 4 days ago →
🇺🇸United States frob US
Adding another related issue.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024