The 'view all media' permission naming makes it sound like a good idea to give that permission to all users. However, if you do so it prevents you from having any private files work on your site (I found this out after a lengthy debug session). The description should be changed to 'View all media files including private files.' to prevent confusion.

Comments

JacobSingh’s picture

JacobSingh commented

I'm not sure about this... Private files refers to the filesystem itself, not access to viewing the files on the site, right? So if you use filefield and upload a file and set the location to private:// it's still accessible on that node. Media operates pretty much the same way.

That being said, there is no way to * enumerate* files using core file handling techniques. Media provides that...

So there is a task here to add more granular permissions to file access, but it seems unrelated to the public / private files debate.

Is that right?

jody lynn’s picture

jody lynn
she/her
Primary language English
commented

This is what happened to us:

We set up a new filefield as private. Then we added content_access to set role permissions for the content type. Because node.module implements hook_file_download_access to deny access to files on inaccessible nodes, we expected file_download to deny access to the files for those who could not view the nodes. The access was still granted though. File access, like node access, is a system of grants not denials, so I figured a different module must be giving a grant, and tracked it down to media_file_download_access. Our permissions were configured to give all users 'view media' permission, which was the problem.

Most people will assume that they want to give all users the 'view media' permission, but doing so will prevent you from denying access to any file on the site, which is not obvious when you set that. Since all users can see public files without that permission (I believe), it is really more of an administrative permission (like 'access all views' is). I think that just completing the @TODO on media_permission to give that perm a better description such as 'View all files including private files' would prevent a lot of people from mis-assigning that perm.

See also http://drupal.org/documentation/modules/file#comment-4278514 where several people are unable to get private files to deny access, likely caused either by using media module with that perm set or by using another module that is giving a file view grant. Some people there are resorting to implementing hook_file_download in a custom module because they probably can't get the grants right that come through hook_file_download_access.

AndrzejG’s picture

AndrzejG commented

subscribe

dhalbert’s picture

dhalbert commented

A security bug was fixed in Drupal 7.1/7.2 which may cover some of the issues discussed here:

SA-CORE-2011-001 - Drupal core - Multiple vulnerabilities:

Access bypass in File module

When using private files in combination with a node access module, the File module allows unrestricted access to private files.

This issue affects Drupal 7.x only.

Niklas Fiekas’s picture

Niklas Fiekas commented

Subscribe.

ansorg’s picture

ansorg commented

Help please, I don't get it.

I have a working private files setup in drupal 7.7 If I block access to published content for guests I cannot i. e. access something like http://d7.ansorg-web.de/system/files/styles/large/private/DSC_0177.JPG. Of course, removing this permission blocks guests from everything.

But with "View published content" enabled, Guests can see those private files. Un-/checking "View media" does not seem to make a difference at all.

Media-7.2-dev, with a content type that has an image field with "Upload destination" "Private files"

Ideally, I'd like to have a setup working like the following: have a Taxonomy vocabulary that defines a few "Sections". Use Taxonomy access control to allow/deny access to content tagged with one of those Sections. (so far it works) Have media (in my case media == images) inherit those access restrictions. Is this possible using the media module?

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Issue tags: +private files
devin carlson’s picture

devin carlson commented
Status: Active » Closed (won't fix)

No new features are being added to Media 7.x-1.x. This permission is no longer provided by Media in the 7.x-2.x branch. File permissions are now part of the File Entity module and are being worked on in #1227706: Add a file entity access API.