A private site with content access denied to anonymous users has a problem when the filefield is used on a user profile registration form.

The ahah upload fails with HTTP error 0 because the access control on the form field checks:

function filefield_edit_access($type_name, $field_name) {
557   if (!content_access('edit', content_fields($field_name, $type_name))) {
558     return FALSE;
559   }
560   // No content permissions to check, so let's fall back to a more general permission.
561   return user_access('access content') || user_access('administer nodes');
562 }

user_access('access content') will return FALSE.

WOuld be nice if the module could cater for this case, without having to hook_menu_alter the access callback out.

#2 filefield_access_less.patch1.18 KBquicksketch


quicksketch’s picture

You know I've always thought that check was a bit funny. I think it predates my maintainership.

How about we just do this?

function filefield_edit_access($type_name, $field_name) {
content_access('edit', content_fields($field_name, $type_name));
quicksketch’s picture

Title:HTTP error 0 for anonymous people uploading a file» Allow users without "access content" permission to upload files
Status:Active» Fixed
new1.18 KB

I've committed this patch to loosen up our access control slightly. If a module wants to deny view or editing access they can implement hook_field_access() and set the same permissions through that hook. FileField shouldn't be making assumptions about which permissions allow users to edit/view a field.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

budda’s picture

Excellent. Thanks for the speedy turn around.