How to reproduce the bug:

- Create a custom content type with a file field
- Password protect this content type
- Have a user role with "bypass password for view"
- Try to display the node with this user (this will work fine)
- Try to display the node's file attachment with this user (this will return access denied error)

How I fixed it:

I fixed it on my local drupal by adding this code snippet, line 792:

if (user_access('edit protected content')) {
  return;
}

Let me know if you want me to pull request, and how to do it, i'd be glad to do it.

CommentFileSizeAuthor
#2 protected_node-file_attach_bypass_view-2823734-2.patch4.89 KBgrimreaper

Comments

MonsieurNinja created an issue. See original summary.

grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Status: Active » Needs review
StatusFileSize
new protected_node-file_attach_bypass_view-2823734-2.patch4.89 KB

Hello,

Thanks for reporting the issue.

I see two problems with your issue.

In the steps to reproduce the bug. The file field should use the private file system.

If it is a problem with the bypass password for view. It should be this permission that should be tested and not the bypass password for edit action.

Here is a patch that fix the bug and add an automated test for that. Please test it and if it ok I will merge it.

Thanks for the review.

  • Grimreaper committed df939ff on 7.x-1.x 
    Issue #2823734 by Grimreaper, MonsieurNinja: Protected node's file...
grimreaper’s picture

grimreaper
Primary language French
Location France 🇫🇷
commented
Status: Needs review » Fixed

This is now merged.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.