Private file download returns access denied

nice catch, subscribing

Neither patches in #2 are correct to test or fix the issue, this one is at least correct in testing for it. We should get 1 fail.

It looks like a mistake that we check access for all revisions, so here's a solution which only checks access on the latest revision. And as a result, $nid is passed correctly to entity_load(). In HEAD, a revision ID is passed to entity_load(), which results in the wrong node/entity being used in the access check (confusing $vid with $nid). That is bad :P

Marked #964400: file_file_download attempts to load entities with their revision_id as a duplicate of this.

One test requires a $reset of node_load().

Upsie :)

I think I wrote the part that loads the entity in hook_file_download() and wasn't sure if it's the correct way but nobody said something different :)

Tagging with security, this bug could result in files being unintentionally downloadable because field_access() and hook_file_download_access() could be passed the wrong entity entirely.

Patch looks good to me - could we get just the tests as a patch to show the failures? Don't have time to run locally at the moment but RTBC otherwise.

The test faill without the fix, and pass with the fix. I think that's RTBC...

Sorry. Change again..

reupload of the patch from #9 to keep the testbot happy. (no changes)

Committed to CVS HEAD. Thanks.

Looks like committed patch did not solved problem completely, because it changed file_get_file_references function parameter to FIELD_LOAD_CURRENT from FIELD_LOAD_REVISION. But FIELD_LOAD_REVISION parameter was there for a good reason, with FIELD_LOAD_CURRENT we are not able to open files attached to all entity revisions except current. It's fatal in case you're trying to build, say, intranet with library for documents.

Steps to reproduce:
1.Set up clean Drupal 7.12 with private document folder (say, sites/default/files/private) and a content type with just a title and file field called field_file. It should store files in your private folder.
2.Login as UID1, create a node and add a file "testfile1.txt" to it's file field.
3.Save the node
4.Click edit
5.Remove the old file, "testfile1.txt"
6.Add "testfile2.txt"
7.Check "Create new revision" option
8.Click save
9. Click revisions tab, open first revision of your node
10. Node is fine, link to file is there, but when you'll click on this link to the file "testfile1.txt", you'll get "Page not Found"

It is possible to open old version of your file - if you'll revert old revision. But it is not an option in case you use revisions as revisions, not as backups for inaccurate users, because it will produce awful mess of revisions.

Subscribing. I'm also unable to access some private files, even when signed in as the admin user.

#19: 992674-9-private-access-denied.patch queued for re-testing.

This patch did not work for me. I submitted it for re-testing and it failed.

Me too. I can't access any private files and the patch didn't help at all. I submitted it for re-testing and it failed. hmmm

The patch has already been commited a *looong* time ago, you can't retest that, that makes no sense.

It might make more sense to open a new issue about that rather than re-open a one that has been closed more than a year ago.

ok. done: http://drupal.org/node/1452100

Closing this issue as another issue has been created.

Confirm this issue with D7.