diff --git a/file_entity.admin.inc b/file_entity.admin.inc index 8c5b076..cb7da64 100644 --- a/file_entity.admin.inc +++ b/file_entity.admin.inc @@ -136,6 +136,27 @@ function file_entity_admin_files_validate($form, &$form_state) { if (!is_array($form_state['values']['files']) || !count(array_filter($form_state['values']['files']))) { form_set_error('', t('No files selected.')); } + else { + if ($form_state['values']['operation'] == 'delete') { + $op = 'delete'; + $error = t('You are not allowed to delete the selected files!'); + } + else if ($form_state['values']['operation'] == 'edit_multiple') { + $op = 'edit'; + $error = t('You are not allowed to edit the selected files!'); + } + if (in_array($form_state['values']['operation'], array('edit_multiple', 'delete'))) { + $files = array(); + foreach (file_load_multiple($form_state['values']['files']) as $index => $file) { + if (file_access($op, $file, $GLOBALS['user'])) { + $files[$index] = $file; + } + } + if (!count($files)) { + form_set_error('', $error); + } + } + } } /** diff --git a/file_entity.file.inc b/file_entity.file.inc index aeac27c..7fc071e 100644 --- a/file_entity.file.inc +++ b/file_entity.file.inc @@ -101,6 +101,9 @@ function file_entity_file_mimetype_mapping_alter(&$mapping) { * Implements hook_file_operation_info(). */ function file_entity_file_operation_info() { + if (user_access('delete own files') || user_access('delete any files') + || user_access('administer files') || user_access('bypass file access')) { + $info['delete'] = array( 'label' => t('Delete selected files'), 'callback' => 'file_entity_multiple_delete_confirm_operation', @@ -108,4 +111,5 @@ function file_entity_file_operation_info() { ); return $info; + } } diff --git a/file_entity.file_api.inc b/file_entity.file_api.inc index 339d91f..feb9eac 100644 --- a/file_entity.file_api.inc +++ b/file_entity.file_api.inc @@ -512,6 +512,20 @@ function file_uri_to_object($uri, $use_existing = TRUE) { * An array of file IDs. */ function file_delete_multiple(array $fids) { + // Although the function is allowed to not care about file usage or invalid URIs + // it should care about file access. + if (!empty($fids)) { + $files = array(); + foreach (file_load_multiple($fids) as $index => $file) { + if (file_access('delete', $file, $GLOBALS['user'])) { + $files[] = $file->fid; + } + } + $fids = $files; + if (!count($files)) { + drupal_set_message(t('Tried to delete files without having the appropiate access to do so.'), 'error'); + } + } $transaction = db_transaction(); if (!empty($fids) && $files = file_load_multiple($fids)) { try { diff --git a/file_entity.module b/file_entity.module index 338558e..59e4790 100644 --- a/file_entity.module +++ b/file_entity.module @@ -858,8 +858,18 @@ function file_entity_multiple_delete_confirm_operation($fids) { // under a different form_id. $form['#submit'] = array(); $form['#submit'][] = 'file_multiple_delete_form_submit'; - $files = file_load_multiple($fids); - return file_multiple_delete_form($form, $form_state, $files); + $files = array(); + foreach (file_load_multiple($fids) as $index => $file) { + if (file_access('delete', $file, $GLOBALS['user'])) { + $files[$index] = $file; + } + } + if (count($files)) { + return file_multiple_delete_form($form, $form_state, $files); + } + else { + drupal_set_message(t('You are not allowed to delete the selected files!'), 'error'); + } } /**