If you set "public" as the download method, you can still protect some of your folders by settings in your .htaccess file, if you have mod_rewrite enabled.
For instance, if your files live in sites/default/files, and you want to protect everything in sites/default/files/protected_download_dir, then you can add the following line to your central .htaccess file:
RewriteRule ^sites\/default\/files\/(protected_download_dir\/.*)$ index.php?q=system/files/$1
The files in this folder (or, all files that match the regular expression) will not be served directly by apache, but by a full drupal request using the file_download() callback. The routing for system/files is defined in system_menu().
Access Checking for File Downloads
Modules can do access checking on files downloaded through file_download(), by implementing hook_file_download().
For instance, the filefield module will do access checking for all files that you upload via filefield. It will only give access to people who are allowed to see the node and the field the file belongs to.
In addition, you can look for modules that restrict file downloads based on the folder name or other criteria.
Access Checking built-in with Filefield
The filefield module has access checking built-in. To make use of this, please
Make sure to use the latest dev version of filefield (for now). The current offical release (08/2009) has a bug in access checking. Have a look into filefield issue 516104.
Configure the filefield you want to protect. Use the filefield path module, to define where the files for the filefield should be stored by default.
Add a line to your .htaccess to protect this folder (see above).
Use whatever modules to restrict node or field access.
amelia_joe on 17 Jun 15Anybody can participate in this bug bounty program and try to find the issues in Drupal 8 within 31st August 2015.Read more at:http://losangeles.fortuneinnovations.com/news/drupal-8-bug-bounty-program-find-issue-and-get-paid
