file_crusader

File Crusader is a Drupal module that enhances file access control by moving public files to an inaccessible path when their parent entity is unpublished. This prevents users from accessing files via their public URLs once the content they were attached to is not published.

Problem It Solves
In Drupal core, files stored in the public file system remain reachable by direct URL even if the parent content (such as a node or media entity) is unpublished. File Crusader closes that gap by programmatically relocating those files into a protected location when their parent is unpublished — ensuring that files truly respect entity publishing state.

Key Features
- Automatically moves public files to an inaccessible private path when their parent entity is unpublished.

- Respects the publish/unpublish status of all parent entities before acting.

- Shows warnings when a file cannot be unpublished due to active references (for example, attached to another published entity).

- Supports unpublishing single media entity files when the media parent is unpublished.

Use Cases
- Ensuring that unpublished content does not leak associated files via direct URLs.

- Preventing user access to attached media or images when parent content is unpublished.

- Improving security posture for sites with restricted or sensitive media.

In the future, this module could be useful for organizations which change administrations and need to ensure old policy documents cached in search engines are not accessible and interpreted as current.

Installation
composer require 'drupal/file_crusader:^1.0@alpha'

Compatibility
- Drupal 10
- Drupal 11