A private site with content access denied to anonymous users has a problem when the filefield is used on a user profile registration form.

The ahah upload fails with HTTP error 0 because the access control on the form field checks:

 556 function filefield_edit_access($type_name, $field_name) {
 557   if (!content_access('edit', content_fields($field_name, $type_name))) {
 558     return FALSE;
 559   }
 560   // No content permissions to check, so let's fall back to a more general permission.
 561   return user_access('access content') || user_access('administer nodes');
 562 }

user_access('access content') will return FALSE.

WOuld be nice if the module could cater for this case, without having to hook_menu_alter the access callback out.

#2 filefield_access_less.patch1.18 KBquicksketch
Members fund testing for the Drupal project. Drupal Association Learn more


quicksketch’s picture

You know I've always thought that check was a bit funny. I think it predates my maintainership.

How about we just do this?

function filefield_edit_access($type_name, $field_name) {
  return content_access('edit', content_fields($field_name, $type_name));
quicksketch’s picture

Title: HTTP error 0 for anonymous people uploading a file » Allow users without "access content" permission to upload files
Status: Active » Fixed
1.18 KB

I've committed this patch to loosen up our access control slightly. If a module wants to deny view or editing access they can implement hook_field_access() and set the same permissions through that hook. FileField shouldn't be making assumptions about which permissions allow users to edit/view a field.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

budda’s picture

Excellent. Thanks for the speedy turn around.