Ok, It wasn’t a lot of pain, but it was a tad annoying nonetheless.
The story begins with using Drupal 5 for a private website (Note: I actually think these later releases of Drupal are pretty good – it’s pretty easy to create themes and the feature set is pretty rich). Since the data that was being uploaded needed access controls I set Adminster/File System/Download Method to private. Sounds Good so far.
Since I wanted to have some nodes containing uploaded image data, which I wanted to have ACLs protecting I installed the ACL/Content_Access modules and the Image module. I set the ACLs on the nodes as appropriate for me – nothing for Anonymous and view for Authenticated users.
Bugger – didn’t work. According to the logs I was getting 403’s via the module performing the private downloads. This wasn’t good. So after a great deal of Ineffective Googling (now known as IG) I decided to read the code.
After scratching my head for a little while I started to make sense of the code. The problem was that in addition to the ACL settings on the Image nodes I also needed to have view_original_file and view_uploaded_files permissions set for my Authenticated Role. Once I set that everything started working as I expected and sanity was restored.
Hopefully this little blog entry will end some drupal induced suffering for someone else.