Remove the rewrite rules that lets users download images directly from var. It will be a lot slower, but it will check access rights on every image request.
Thanks for your response but I still have a problem with that.
I remove the rewrite rules for var directory. But now I can't see any images on my site. The same behaviour for admin user and anonymous user. When I put direct image link (like: http://example.com/var/siteaccess/storage/images/folder/zdjecie/1579-1-pol-PL/zdjecie_large.jpg) to browser then I get eZ error page with error message: The requested module var could not be found.
If there any special configuration options?
My configuration of eZ Publish - virtual host. My .htaccess file:
DirectoryIndex index.php
<FilesMatch "(index\.php|\.(gif|html|css|jpe?g|png|ico|js|asf|avi|wmv|swf|xsl|jar|pdf|doc))$">
order allow,deny
allow from all
Options FollowSymLinks Includes ExecCGI
</FilesMatch>
RewriteEngine on
RewriteBase /
# first we rewrite the root dir to the handling php script
RewriteRule ^$ index.php [L]
RewriteRule ^index\.html$ index.php [L]
# exclude here directories or files eg. your webmail, phpadsnew, pphlogger
#Rewriterule ^var/storage/.* - [L]
#Rewriterule ^var/[^/]+/storage/.* - [L]
#RewriteRule ^var/cache/texttoimage/.* - [L]
#RewriteRule ^var/[^/]+/cache/texttoimage/.* - [L]
Rewriterule ^design/[^/]+/(stylesheets|images|javascript)/.* - [L]
Rewriterule ^share/icons/.* - [L]
Rewriterule ^extension/[^/]+/design/[^/]+/(stylesheets|images|javascripts?)/.* - [L]
Rewriterule ^packages/styles/.+/(stylesheets|images|javascript)/[^/]+/.* - [L]
RewriteRule .* index.php [L]
Sorry for giving you wrong advice, seems like only files (as in word, pdf etc) can be server like this true content/download.
Images are protected in the way that if you don't have access to it, you will get text saying "you don't have access to this image" instead of the image. So basically you only get the link if you have access, given that you use the ez templates for generating the url / image tag.