Allow users without "access content" permission to upload files [#1126198]

A private site with content access denied to anonymous users has a problem when the filefield is used on a user profile registration form.

The ahah upload fails with HTTP error 0 because the access control on the form field checks:

<?php
 556 function filefield_edit_access($type_name, $field_name) {
 557   if (!content_access('edit', content_fields($field_name, $type_name))) {
 558     return FALSE;
 559   }
 560   // No content permissions to check, so let's fall back to a more general permission.
 561   return user_access('access content') || user_access('administer nodes');
 562 }
?>

user_access('access content') will return FALSE.

WOuld be nice if the module could cater for this case, without having to hook_menu_alter the access callback out.

Comment	File	Size	Author
#2	filefield_access_less.patch	1.18 KB	quicksketch

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

quicksketch

he/him

CreditAttribution: quicksketch commented 27 April 2011 at 22:22

You know I've always thought that check was a bit funny. I think it predates my maintainership.

How about we just do this?

function filefield_edit_access($type_name, $field_name) {
  return content_access('edit', content_fields($field_name, $type_name));
}

Comment #2

quicksketch

he/him

CreditAttribution: quicksketch commented 27 April 2011 at 22:30

Title:	HTTP error 0 for anonymous people uploading a file	» Allow users without "access content" permission to upload files
Status:	Active	» Fixed

File	Size
filefield_access_less.patch	1.18 KB

I've committed this patch to loosen up our access control slightly. If a module wants to deny view or editing access they can implement hook_field_access() and set the same permissions through that hook. FileField shouldn't be making assumptions about which permissions allow users to edit/view a field.