Managing Media File Visibility in Drupal Using ECA

Kai Gertz highlights a key flaw in Drupal’s media system: files remain publicly accessible even after their media entities are unpublished or deleted. This disconnect can expose sensitive content via direct URLs, contrary to user expectations. The Tojio blog evaluates conventional fixes, including the Media File Delete module and File Visibility module. While functional, these solutions introduce either UX friction or server performance risks—especially when defaulting to Drupal’s private file system.

In the blog post, “Drupal: Media, files and how to control their visibility,” Kai Gertz proposes a cleaner alternative using the ECA (Event, Condition, Action) module. His approach temporarily renames files with a .ht prefix when media is unpublished, breaking public access. The name is restored upon re-publication. This method aligns visibility with editorial intent without straining performance. The post includes a downloadable ECA model, giving site builders a practical tool for nuanced file access control. This is a thoughtful, low-overhead solution to a persistent problem in Drupal file handling.