I am having problems denying access for anonymous users to private files. Having looked into the logs for hook_file_download() - the issue seems to be that whenever a user does NOT have access, it will still return NULL (not -1), indicating the module does not control (access for) the file. However, in my case no other module or hook implementation is denying access, basically granting access to anyone instead.
The patch causing the issue seems to be this one: https://drupal.org/comment/7764977#comment-7764977
There is a check for file_entity_access('view') but whenever this returns FALSE (e.g. when access is denied) hook_file_download will simply return NULL instead - I think the code here needs to be split up further to first determine IF file access is handled by File entity, and if it is, NEVER return NULL, but return either the file headers, or -1 if access should be denied.
Comment | File | Size | Author |
---|---|---|---|
#3 | cannot_deny_access_private_files.patch | 290 bytes | FreekVR |
Comments
Comment #1
FreekVR CreditAttribution: FreekVR commentedComment #2
ericwongcm CreditAttribution: ericwongcm commentedSomeone posted at fix here.
https://drupal.org/comment/8173505#comment-8173505
Someone please put this into file entity code.
Comment #3
FreekVR CreditAttribution: FreekVR commentedI'm afraid the linked issue is a different issue. Attached is a patch we are now using. The downside of this patch is that it totally limits access to the permissions set for the entity bundle in this module. Previous to this patch the access was handed off to the node module in case the file was uploaded to a node.
The downside of the approach as it was, is that effectively the permissions for this module only allow you to open up access to anyone, and removing said permission for a certain role does not mean that they will be unable to access the file.
Some thought needs to go into the whole approach this module takes to file permissions. If the above description is how it is *intended* to work, I think the descriptions for the permissions need to change.
In our case, the client specifically requested for private files to be downloadable only for logged in users, regardless of the permissions that user has to the node it was uploaded to. Only by using this patch can we regulate it using the permissions already provided by the module.
Comment #4
FreekVR CreditAttribution: FreekVR commentedComment #5
Anonymous (not verified) CreditAttribution: Anonymous commentedI have the same issue with public files!!
To Reproduce the public files strange behavior:
visit the page and click download the file, it will allow download for couple of times then it will redirect to access denied page!
Comment #6
klaasvw CreditAttribution: klaasvw commentedI also had a similar problem. This patched fixed the issue for me, see #2268335: File permissions ignored for private files
Comment #7
aaron CreditAttribution: aaron commented3: cannot_deny_access_private_files.patch queued for re-testing.
Comment #8
aaron CreditAttribution: aaron commentedCommitted to http://drupalcode.org/project/file_entity.git/commit/b08ed87.
Comment #11
znerol CreditAttribution: znerol commentedNote, this has been reverted by #2351691: Access denied when downloading private files - decide if file_entity_file_download() should deny access by default or not.
Comment #12
znerol CreditAttribution: znerol commented