A user has "edit permission" for a node with a filefield, but does not have "create permission". If the user edits the node and adds or replaces a file in the filefield, then whenever this file is requested, Drupal returns a "Page not found" error. If the "create permission" is applied then the file is normally served. It seems to me that since the user has editing privileges, the file should be served as normal. And in any case, it should not be a "File not found" message but a "Permission denied" message.

Apologies if this has been picked up previously - I could not find anything relevant in the issues list.

Comments

quicksketch’s picture

Haha, thanks for the report. I definitely wouldn't of thought of that use-case. This shouldn't be too hard to fix, I think the assumption right now is that user's wouldn't be uploading files if they didn't have permission to create nodes, but clearly there's a possibility for it. This shouldn't be a hard fix, we probably just need an OR statement in filefield_file_download().

pwolanin’s picture

Version: 6.x-3.10 » 6.x-3.x-dev
Issue summary: View changes
Issue tags: +Needs issue summary update

Please write up a set of concise steps to reproduce.