folder_tree
The Folder Tree module for Drupal 10/11 provides an
interactive, AJAX-driven browser for exploring the server's directory and file
hierarchy directly from the Drupal admin UI — without SSH, FTP, or any
separate tooling. Directories are loaded lazily on demand so even large file
trees stay fast, and every request is validated server-side to prevent path
traversal outside the configured root.
Why You Need This Module
Server administrators and site builders routinely need to verify what files
are present on a live site — checking whether an uploaded asset landed in the
right place, confirming a deployment copied every file, inspecting log
directories, or auditing what is exposed under a public path. The standard
options each carry friction:
- SSH +
ls/find: Requires
terminal access and is unavailable to non-developers or clients who should
not have shell credentials. - FTP / SFTP client: Requires separate credentials, a
separate application, and ongoing session management — overhead for a
simple file check. - Drupal's Media / File browser: Only surfaces files
tracked by Drupal. Deployment artifacts, log files, configuration files,
and anything outsidesites/default/filesare invisible. - Hosting control panels: Not universally available,
vary per host, and offer no integration with Drupal's own permission
model.
Folder Tree fills that gap. It exposes a
permission-controlled, read-only directory browser inside the Drupal admin
panel — no extra credentials, no separate tools, no shell access required.
It is particularly valuable for:
- Site builders and content managers who need to confirm
uploaded files exist on disk without involving a developer. - Developers who want a quick visual check of deployment
or build output without leaving the browser. - System administrators who want to delegate read-only
filesystem inspection to trusted editors while keeping write access
restricted. - Agencies running multi-client Drupal platforms who need
lightweight per-site filesystem auditing without granting SSH access to
clients.
Features
- Lazy AJAX loading: Child directories are fetched on
demand; the initial page load is instant regardless of how large the tree
is. - Expand / collapse: Click any folder to reveal its
contents; click again to collapse. The tree remembers which branches are
open during a single session. - Keyboard navigation: Full Arrow-key support —
↓/↑move focus between items,
→expands a folder,←collapses it. No mouse
required. - Collapse all: A single toolbar button collapses every
open branch at once. - 25 distinct SVG file-type icons: Covers folders, PDFs,
images, video, audio, archives, office documents, code files, and more —
all embedded as inline data-URIs with no extra HTTP requests. - Folder child counts: Every folder displays a badge
showing how many direct children it contains before you expand it. - File size tooltips: Hovering or focusing a file shows
its human-readable size (1.4 KB,23.7 MB, etc.)
in the native browser tooltip. - Live search filter: A search box in the toolbar
instantly hides any item whose name does not match the typed string. Works
across all currently loaded levels. Clear the box to restore all
items. - Path traversal protection: Every AJAX request resolves
the requested directory throughrealpath()and confirms it is
a strict child of the configured root. Symlinks pointing outside the root
are blocked. - Permission-gated endpoint: The AJAX route requires the
same Drupal permission as the page itself; unauthenticated or
unpermissioned requests receive a403before any filesystem
access occurs. - Read-only: The module provides no mechanism to upload,
delete, move, or modify any file or directory. It is strictly a
browser. - Accessible and responsive UI: WCAG 2.1 AA compliant
withrole="tree",aria-liveannouncements,
keyboard focus management, and reduced-motion support. - Zero external dependencies: Uses native
fetch()and Drupal core'sonceutility only. No
jQuery, no CDN assets, no Composer packages beyond Drupal core.
Installation
Install the module using Composer (recommended):
composer require drupal/folder_treeEnable the module:
drush en folder_tree -yClear Drupal caches:
drush crPost-Installation
After enabling the module:
- Navigate to Administration » Configuration » System
» Folder Tree Settings
(/admin/config/system/folder-tree). - Set the Root directory path — the absolute server path
used as the top of the tree. The browser cannot navigate above this
path. - Optionally enable Show hidden files and directories to
include files and folders whose names begin with.. - Grant permissions under People » Permissions:
access folder tree— allows browsing the directory tree
and using the AJAX listing endpoint.administer folder tree— allows changing the root path
and show-hidden setting. Restrict to administrators only.
- Browse the tree at Administration » Structure »
Folder Tree
(/admin/structure/folder-tree).
Additional Requirements
This module requires:
- Drupal 10.x or 11.x
- PHP 8.2 or higher
- Drupal core User and System
modules - The web server process must have read permission on the configured root
directory.
No contributed module dependencies. No third-party JavaScript libraries or
external services are required.
Similar projects
-
File Browser —
Provides a file browser interface for Drupal-managed files. Folder Tree
differentiates itself by exposing the full server filesystem (not just
Drupal-tracked files), adding lazy AJAX loading, live search, role-based
permissions, path traversal protection, and 25 inline SVG file-type icons.
Support
Please post bug reports, feature requests, and support requests to
the Folder Tree
module issue queue. Community contributions, testing, and documentation
improvements are always welcome.
Community Documentation
- Project documentation and configuration examples can be added here.
- Video walkthroughs and setup tutorials are welcome.
- Example root-path configurations for common hosting setups can also be
included.
Security Focus
Folder Tree is designed for sites where controlled filesystem visibility
matters — agency platforms, enterprise Drupal installations, and multi-client
hosting environments where SSH access cannot be granted to every stakeholder.
All filesystem access is read-only and server-validated. The configured root
is resolved through realpath() on every request, file and
directory names are HTML-escaped before output, and the
administer folder tree permission is flagged
restrict access: true to prevent accidental delegation.