diff --git a/core/modules/comment/comment.module b/core/modules/comment/comment.module index 1a3580f..9ad19f5 100644 --- a/core/modules/comment/comment.module +++ b/core/modules/comment/comment.module @@ -2506,10 +2506,10 @@ function comment_rdf_mapping() { /** * Implements hook_file_download_access(). */ -function comment_file_download_access($field, $entity_type, $entity) { - if ($entity_type == 'comment') { - if (user_access('access comments') && $entity->status == COMMENT_PUBLISHED || user_access('administer comments')) { - $node = node_load($entity->nid); +function comment_file_download_access($context) { + if ($context['entity_type'] == 'comment') { + if (user_access('access comments') && $context['entity']->status == COMMENT_PUBLISHED || user_access('administer comments')) { + $node = node_load($context['entity']->nid); return node_access('view', $node); } return FALSE; diff --git a/core/modules/file/file.api.php b/core/modules/file/file.api.php index 7f20d83..9da9708 100644 --- a/core/modules/file/file.api.php +++ b/core/modules/file/file.api.php @@ -12,12 +12,14 @@ * file is referenced, e.g., only users with access to a node should be allowed * to download files attached to that node. * - * @param $field - * The field to which the file belongs. - * @param $entity_type - * The type of $entity; for example, 'node' or 'user'. - * @param $entity - * The $entity to which $file is referenced. + * @param array $context + * An associative array containing the following key-value pairs, matching the + * arguments received by hook_file_download_access(): + * - entity_type: The type of entity; for example, node or + * user. + * - entity: The entity to which the field item is referenced. + * - field: The field info of the field the field_item belongs to. + * - field_item: The field item that is being requested. * * @return * TRUE is access should be allowed by this entity or FALSE if denied. Note @@ -26,9 +28,9 @@ * * @see hook_field_access(). */ -function hook_file_download_access($field, $entity_type, $entity) { - if ($entity_type == 'node') { - return node_access('view', $entity); +function hook_file_download_access($context) { + if ($context['entity_type'] == 'node') { + return node_access('view', $context['entity']); } } @@ -45,12 +47,14 @@ function hook_file_download_access($field, $entity_type, $entity) { * An array of grants gathered by hook_file_download_access(). The array is * keyed by the module that defines the entity type's access control; the * values are Boolean grant responses for each module. - * @param $field - * The field to which the file belongs. - * @param $entity_type - * The type of $entity; for example, 'node' or 'user'. - * @param $entity - * The $entity to which $file is referenced. + * @param array $context + * An associative array containing the following key-value pairs, matching the + * arguments received by hook_file_download_access(): + * - entity_type: The type of entity; for example, node or + * user. + * - entity: The entity to which the field item is referenced. + * - field: The field info of the field the field_item belongs to. + * - field_item: The field item that is being requested. * * @return * An array of grants, keyed by module name, each with a Boolean grant value. @@ -58,7 +62,7 @@ function hook_file_download_access($field, $entity_type, $entity) { * module's value in addition to other grants or to overwrite the values set * by other modules. */ -function hook_file_download_access_alter(&$grants, $field, $entity_type, $entity) { +function hook_file_download_access_alter(&$grants, $context) { // For our example module, we always enforce the rules set by node module. if (isset($grants['node'])) { $grants = array('node' => $grants['node']); diff --git a/core/modules/file/file.module b/core/modules/file/file.module index a2a5a80..eafc456 100644 --- a/core/modules/file/file.module +++ b/core/modules/file/file.module @@ -165,15 +165,18 @@ function file_file_download($uri, $field_type = 'file') { // Try to load $entity and $field. $entity = entity_load($entity_type, array($id)); $entity = reset($entity); - $field = NULL; + $field = field_info_field($field_name); + + // Load the field item that references the file. + $field_item = NULL; if ($entity) { - // Load all fields for that entity. + // Load all field items for that entity. $field_items = field_get_items($entity_type, $entity, $field_name); // Find the field item with the matching URI. - foreach ($field_items as $field_item) { - if ($field_item['uri'] == $uri) { - $field = field_info_field($field_name); + foreach ($field_items as $item) { + if ($item['uri'] == $uri) { + $field_item = $item; break; } } @@ -190,11 +193,17 @@ function file_file_download($uri, $field_type = 'file') { // Invoke hook and collect grants/denies for download access. // Default to FALSE and let entities overrule this ruling. $grants = array('system' => FALSE); + $context = array( + 'entity_type' => $entity_type, + 'entity' => $entity, + 'field' => $field, + 'field_item' => $field_item, + ); foreach (module_implements('file_download_access') as $module) { - $grants = array_merge($grants, array($module => module_invoke($module, 'file_download_access', $field, $entity_type, $entity))); + $grants = array_merge($grants, array($module => module_invoke($module, 'file_download_access', $context))); } // Allow other modules to alter the returned grants/denies. - drupal_alter('file_download_access', $grants, $field, $entity_type, $entity); + drupal_alter('file_download_access', $grants, $context); if (in_array(TRUE, $grants)) { // If TRUE is returned, access is granted and no further checks are diff --git a/core/modules/file/tests/file.test b/core/modules/file/tests/file.test index 05083fc..7948fb0 100644 --- a/core/modules/file/tests/file.test +++ b/core/modules/file/tests/file.test @@ -1129,7 +1129,7 @@ class FilePrivateTestCase extends FileFieldTestCase { } function setUp() { - parent::setUp('node_access_test'); + parent::setUp(array('node_access_test', 'field_test')); node_access_rebuild(); variable_set('node_access_test_private', TRUE); } @@ -1146,6 +1146,10 @@ class FilePrivateTestCase extends FileFieldTestCase { $field_name = strtolower($this->randomName()); $this->createFileField($field_name, $type_name, array('uri_scheme' => 'private')); + // Create a field with no view access - see field_test_field_access(). + $no_access_field_name = 'field_no_view_access'; + $this->createFileField($no_access_field_name, $type_name, array('uri_scheme' => 'private')); + $test_file = $this->getTestFile('text'); $nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, array('private' => TRUE)); $node = node_load($nid, NULL, TRUE); @@ -1156,5 +1160,14 @@ class FilePrivateTestCase extends FileFieldTestCase { $this->drupalLogOut(); $this->drupalGet(file_create_url($node_file->uri)); $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.')); + + // Test with the field that should deny access through field access. + $this->drupalLogin($this->admin_user); + $nid = $this->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, array('private' => TRUE)); + $node = node_load($nid, NULL, TRUE); + $node_file = (object) $node->{$no_access_field_name}[LANGUAGE_NOT_SPECIFIED][0]; + // Ensure the file cannot be downloaded. + $this->drupalGet(file_create_url($node_file->uri)); + $this->assertResponse(403, t('Confirmed that access is denied for the file without view field access permission.')); } } diff --git a/core/modules/file/tests/file_module_test.module b/core/modules/file/tests/file_module_test.module index 490ef42..56dcca3 100644 --- a/core/modules/file/tests/file_module_test.module +++ b/core/modules/file/tests/file_module_test.module @@ -72,9 +72,9 @@ function file_module_test_form_submit($form, &$form_state) { /** * Implements hook_file_download_access(). */ -function file_module_test_file_download_access($field, $entity_type, $entity) { - list(,, $bundle) = entity_extract_ids($entity_type, $entity); - $instance = field_info_instance($entity_type, $field['field_name'], $bundle); +function file_module_test_file_download_access($context) { + list(,, $bundle) = entity_extract_ids($context['entity_type'], $context['entity']); + $instance = field_info_instance($context['entity_type'], $context['field']['field_name'], $bundle); // Allow the file to be downloaded only if the given arguments are correct. // If any are wrong, $instance will be NULL. if (empty($instance)) { diff --git a/core/modules/node/node.module b/core/modules/node/node.module index b5ed7e8..1a3a31b 100644 --- a/core/modules/node/node.module +++ b/core/modules/node/node.module @@ -4186,9 +4186,9 @@ class NodeController extends DrupalDefaultEntityController { /** * Implements hook_file_download_access(). */ -function node_file_download_access($field, $entity_type, $entity) { - if ($entity_type == 'node') { - return node_access('view', $entity); +function node_file_download_access($context) { + if ($context['entity_type'] == 'node') { + return node_access('view', $context['entity']); } } diff --git a/core/modules/user/user.module b/core/modules/user/user.module index 865f17b..5d117d2 100644 --- a/core/modules/user/user.module +++ b/core/modules/user/user.module @@ -3902,8 +3902,8 @@ function user_rdf_mapping() { /** * Implements hook_file_download_access(). */ -function user_file_download_access($field, $entity_type, $entity) { - if ($entity_type == 'user') { - return user_view_access($entity); +function user_file_download_access($context) { + if ($context['entity_type'] == 'user') { + return user_view_access($context['entity']); } }