Drupal is a registered trademark of Dries Buytaert
drupal 11.4.2 Update released for Drupal core (11.4.2)! drupal 11.4.1 Update released for Drupal core (11.4.1)! drupal 11.4.0 Update released for Drupal core (11.4.0)! drupal 10.6.12 Update released for Drupal core (10.6.12)! drupal 11.3.13 Update released for Drupal core (11.3.13)! drupal 10.6.11 Update released for Drupal core (10.6.11)! drupal 11.3.12 Update released for Drupal core (11.3.12)! drupal 11.2.14 Update released for Drupal core (11.2.14)! drupal 10.5.12 Update released for Drupal core (10.5.12)! cms 2.1.3 Update released for Drupal core (2.1.3)! drupal 10.5.11 Update released for Drupal core (10.5.11)! drupal 11.3.11 Update released for Drupal core (11.3.11)! drupal 11.2.13 Update released for Drupal core (11.2.13)! drupal 10.6.10 Update released for Drupal core (10.6.10)! cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)!

File Manager is a fully Drupal-native file manager for a configurable filesystem root - browse, upload, download, rename, move, copy, zip, unzip and preview files straight from the admin UI. No iframe, no vendored JavaScript file-manager library and no third-party PHP application: every operation runs through Drupal's own APIs, permissions and logging, and each file it shows is a managed File entity, so usage tracking, references and the rest of Drupal see them like any other file.

The listing, its operations and the optional CKEditor browser are all confined to a single root directory that you choose, with per-user and per-role subdirectory patterns on top - so every user works safely inside their own space, and administrators can see the whole tree.

Key features

  • Browse and manage: a sortable listing with breadcrumbs, folder navigation and search. Every operation - rename, move, copy, delete, create folder, zip, unzip, replace and upload - is an inline AJAX modal that refreshes the listing in place, with no full page reload. Modals are draggable and stay centered.
  • Chunked, resumable uploads: large files upload in chunks staged on the shared filesystem, so multi-server hosts (with no shared local temp) finalize correctly. Uploads are guarded by CSRF, extension rules, a confined destination and a cumulative size cap, and support drag-and-drop.
  • Replace in place: swap the contents of an existing file with a new upload while keeping its identity - the managed File id, usage and any tags survive. A content-type guard rejects a replace that would change the file's real type (for example a .zip swapped for a .jpg).
  • Preview and download: modal preview for images, text and PDFs (size capped), plus confirmed downloads and inline serving, all CSRF-guarded.
  • Zip and unzip: compress selected files and folders into an archive, or extract one - with zip-slip protection, per-entry extension checks and caps on the total extracted size and file count.
  • Path confinement: every user-supplied path passes through a single confinement authority that normalizes it (rejecting .. and null bytes), joins it to the effective root and asserts (symlink-safe) that the result stays inside the root. Filenames are sanitized to a cross-platform-safe form.
  • Per-user and per-role roots (path patterns): a Pathauto-style, weight-ordered list of token-enabled path patterns confines each user to their own subdirectory (the shipped default gives every user users/[user:uuid]). Administrators can bypass patterns and see the whole root.
  • Per-operation permissions: download, upload, create folders, rename, replace, move/copy, delete, compress and extract are each their own permission, so you can grant exactly the operations a role should have.
  • Extension safety: executables and browser-active content (php, sh, exe, html, svg, xml, ...) are hard-denied and cannot be re-enabled; on top of that you set your own denied list and an optional allow-list. The deny rules apply to every extension segment, so evil.php.txt is blocked too.
  • Managed-file backed: every file the manager shows is a permanent managed File entity, ensured lazily on listing, with disk kept as the source of truth. A first-run onboarding scan bulk-registers any pre-existing files (public and private) so they are tracked from the start.
  • Full audit trail: every operation - move, rename, copy, delete, folder create, zip, unzip, upload - writes a log entry with the acting user, IP and time.
  • Native theming: renders with the site's admin theme (built for Gin) using Drupal render arrays, #type elements and Twig - no embedded third-party UI.
  • Extensible: badge plugins add annotations next to file and breadcrumb entries, and a set of alter/react hooks let other modules add columns, add row operations, block operations, extend search and react to file events.

Submodules

Enable only what you need - the module ships focused submodules:

  • File Manager Tags: colored, role-scoped tags for files and folders. Tags are content entities owned by their creator and, with an extra permission, shareable with selected roles; a tag with no roles stays private to its owner. An interactive Tags column assigns and removes tags inline, and tags can be searched.
  • File Manager Share: password-protected public shares of files and folders through a private, gated store, plus the private files scope (Public/Private sub-tabs). Shares can expire, self-destruct after the first download and are brute-force flood-limited.
  • File Manager CKEditor: an "Insert from file manager" CKEditor 5 toolbar button that browses the managed root and inserts files or images with editor usage tracking. Its picker toolbar is extensible with plugins and configurable per text format.
  • File Manager AI: a clickable AI summary badge on text files, PDFs and images that opens a dialog with an LLM-generated summary. Depends on the AI (ai) module and a configured chat provider; the model and system prompt are configurable.
  • File Manager Lock: lock files and folders to protect them from rename, move, copy, replace and delete, with an optional password to unlock.
  • File Manager Trash: a recycle bin - deletes move items to the trash where they can be restored or permanently removed, with an automatic cron purge after a configurable retention period (default 30 days).
  • File Manager Quota: per-user and per-role storage quotas. Uploads are blocked once a user reaches their cap, an optional usage meter shows how much is used, and a "Bypass storage quota" permission exempts trusted roles.

Screenshots

Configuration

  1. Set the root directory and limits at Administration > Configuration > Media > File Manager (/admin/config/media/file-manager). Settings are split into General (root directory, upload/chunk/preview size limits, extraction caps, allowed/denied extensions), Files (excluded paths and which badges show, per scope) and Paths (the per-user/per-role path patterns).
  2. Grant the module's permissions to the appropriate roles. Operations are gated individually, so a role can be allowed to download and upload without being able to delete.
  3. Browse and manage files at Administration > Content > File Manager (/admin/content/file-manager).
  4. On first run the manager offers to scan the root and register existing files as managed files. Confirm it (or run drush fm:convert) before the listing appears.

Usage

  1. Go to Content > File Manager and browse into folders with the breadcrumb and folder links, or search the current root.
  2. Use the row and bulk operations - Rename, Move/Copy, Delete, Zip, Unzip, Replace, Download - each opens an AJAX modal and refreshes the listing when it closes.
  3. Create folders and upload files with the local actions above the listing; uploads support drag-and-drop and large, chunked files.
  4. Preview a file (image, text or PDF) in a modal without downloading it.

Everything is confined to the configured root and, for non-bypass users, to the subdirectory their path pattern resolves to.

Requirements

  • Drupal 11.3+ or 12.
  • File (Drupal core module).
  • The Token module, for the path pattern tokens.

Built with AI assistance

Activity

Total releases
1
First release
Jul 2026
Latest release
18 hours ago
Release cadence
Stability
0% stable

Releases

Version Type Release date
1.0.0-alpha1 Pre-release Jul 13, 2026