Currently, the link method to notify users of a new file download appears to be with the [expiration:downloads] token. This token provides the url to the file that allows a user to download the file from the site if/once they are logged in. This method fails to take into account a user who is not logged in and wants to directly download the file without login. In 6.x this was the default procedure (download without authentication), but this is no longer the case now.

Am I missing a setting?

Members fund testing for the Drupal project. Drupal Association Learn more


longwave’s picture

Category: bug » support
Status: Active » Postponed (maintainer needs more info)

Not sure what you mean. Where are you trying to use this token, and where and how did you use the equivalent token in 6.x?

Ron Williams’s picture

Under d6, when an e-mail was generated for a file download, the link directly allowed download of the file. In d7, it appears that it takes the user to the download page and they must login to access that page.

longwave’s picture

Status: Postponed (maintainer needs more info) » Active
longwave’s picture

Status: Active » Fixed

You should just need to grant the "download file" permission to anonymous users. If this still isn't working please provide the exact error messages and/or a screenshot demonstrating the issue.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

drupalEx1234’s picture

I have the same problem and have granted "download file" permission to anonymous users. Any ideas how I can enable file downloads for anonymous users?

drupalEx1234’s picture

Status: Closed (fixed) » Needs review
drupalEx1234’s picture

Status: Needs review » Active
longwave’s picture

Status: Active » Postponed (maintainer needs more info)

In #4 I said "please provide the exact error messages and/or a screenshot demonstrating the issue."

drupalEx1234’s picture

After purchase the user receives an email with a link to the file(s) they have purchased. The link looks like this:

If I'm not logged into Drupal (which as a customer you wouldn't be) then you get the following error:

Access denied
You are not authorized to access this page.

On the "permissions" page under "File downloads" I have ticked for anonymous users:

Download file
View all downloads

longwave’s picture

Is anything logged in watchdog (Reports > Recent log entries) when this happens? As long as the user has the correct permission, any other download failure should be logged in watchdog with the reason.

longwave’s picture

Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

No further info provided. File downloads errors should be logged in watchdog.

tgldesign’s picture

I have the same issue. the file download link should be a one time only link, but instead the link in the email is something like so when the user clicks there is no download.

I think there is a missing token. I imagine there needs to be an extra one made like:


probably named differently but does that make sense?

at the moment I can't see any way of allowing users to download their files without logging in, like I used to in drupal 6.

tgldesign’s picture

Status: Closed (cannot reproduce) » Active


longwave’s picture

Category: support » feature
eurotransient’s picture

Category: feature » support

I've started having this issue as well. We just updated Ubercart to 7.x-3.5 and file downloads no longer work at all.

Prior to the update, when a file download email would be sent, the link to that email would appear like this:

http://[]/download/[fid of the file being downloaded]/[long string of characters]

Now, the email download links leave out the long string of characters, which I believe were tied to the download limits (time, number, ip address, etc). So the link is just:

http://[domain]/download/[fid of the file]

It always returns an access denied page, even if I'm logged in as an administrator.

There is no error message in the status logs and the issue is with the link being generated. This isn't a feature request -- this is a missing feature. I don't see that file downloads have been removed, so at some point in the update, that unique download string got stripped out of the URL generated when granting files.

That url is being generated by the following rule created by Ubercart:

Notify customer when a file is granted
Machine name: uc_file_notify_grant_trigger

Within that rule, the download link is being generated by the following token:


Whatever is supposed to create that link is getting tripped up somewhere.

If someone can give me an idea of how I can help to solve this issue, I'd appreciate it. Like I said, there's no error in dblog (except for the "Access Denied" error when you try to click on the malformed download link). This is a pretty critical feature for our site, so any help would be greatly appreciated.

longwave’s picture

The file key (long string of characters) was deliberately removed in 7.x, though I am not entirely sure why. File downloads are supposed to work without the key now.

I wonder if you are seeing the same issue as #2024565: File download access denied even for user 1? That is the reason for it not working "even if I'm logged in as an administrator", at least.

longwave’s picture

Status: Active » Postponed (maintainer needs more info)

When you say "file downloads no longer work at all", is this for all users, or only anonymous users?

Stormcrow’s picture

Hi, I have the same / similar problem to that described above, so I will try to add useful information and answer any questions as I'm desperate to work out how to make this work for anonymous users. I'm no expert in Drupal or Ubercart though so bear with me, but I am here on the spot to answer or try to answer any questions at all that will help with this!

Ubercart Core 7.x - 3.5
Drupal Core 7.15

What I'm trying to achieve:
A simple e-commerce site with some physical and some download products, but requiring no account creation/login at any point. I am willing to accept that this means there are limitations to the security model - the content and anticipated customer base are low piracy risk. However, I am unable to find a way to get anonymous file downloads to work -at all- regardless of the permissions settings in file downloads section. It almost appears asif those permission settings are being ignored completely.

Private file location outside web root, file permissions 644
People permissions settings for file download: Both Download File and View all Downloads are permitted for all users including anonymous users.
Anonymous Checkout settings:
Enable anonymous checkout - enabled
Allow anonymous users to use existing email address - enabled
(All others settings under anonymous checkout disabled)

What Happens?
Order process and payment completes fine for anonymous, authenticated and admin users. A user account is created for anonymous users but is never used or communicated to the customer (outgoing e-mails/references to the account have been deliberately removed)
File Downloads e-mail is sent, with "simple" links ?q=download/1
(Exactly the same link is given for any order whether by a logged in user or an anonymous checkout, there is no unique string)
If I am logged in as admin, I am able to download the files from these links regardless. (This presumably is correct, but also the admin account has previously purchased these files in testing)
If I login as an authenticated user, and complete a purchase as this user, then download while still logged in, I am able to download the files (I assume this is also correct).
If I am logged in an an authenticated user who has not completed the purchase, then I get Access Denied.
If I am not logged in (anonymous user), then I get Access Denied. (Even when I have completed a purchase as an anonymous user). Effectively, it appears that I would be forced to both give my customer an account and make them log in, in order for them to download the file.

In the recent log messages, I see three log messages when I try to download using an anonymous user,
Page not Found img/loading.gif Anonymous user (I assume this is spurious as I see this frequently for all users)
Access Denied with location=file download link and user Anonymous User (not verified)

My apologies if I am missing something obvious - I will be monitoring this thread very actively and will be happy to reply with any information you need at all - I'm very keen to find a solution, even if that solution is very low security for anonymous downloads.


Stormcrow’s picture

Status: Postponed (maintainer needs more info) » Active
Pharitz’s picture

I was having the same issue, getting access denied notification when following the file download link sent via email. (even when logged in as user 1)
This could be related to

A patch was provided and this code is now included in Ubercart 7.x-3.x-dev.

After Changing to the dev version of ubercart the file downloads started working for me.

Remember to allow file download permission for anonymous users. And that the file download link via email will only work once... don't let that confuse you.

Good Luck!

corneboele’s picture

This patch restores the one-time download link functionality which was already available in Ubercart for D6.

Customer gets link to the file which works only one time. For more downloads the user should log in.

TR’s picture

Status: Active » Needs review

Set status to "Needs review" so the testbot will look at it ...

Status: Needs review » Needs work

The last submitted patch, 22: ubercart-one-time-download-link-1338426-22.patch, failed testing.

TR’s picture

Your patch seems to be in the wrong format. Some documentation on how to make patches in found at

If you need help creating the proper format, I'm glad to help - you can contact me at

corneboele’s picture

This one should be according to the guidelines.

corneboele’s picture

Status: Needs work » Needs review