Images are files attached to nodes. There are serval modules in drupal to restrict the access to nodes (e.g. taxonomy-access-contol). But the image-module ignores those restrictions and allows the download of image files attached to a restricted node (download method is set to private). I suggest a solution for this problems by expanding the file_download hook in file "image.module" like this:

/**
 * implement hook_file_download
 */
function image_file_download($file) {
  $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
  if ($item = db_fetch_object($result)) {
    if (user_access('view uploaded files')) {
      $node = node_load($item->nid);
      if (node_access('view', $node)) {
        $size = image_get_info(file_create_path($file));
        if ($size) {
          $headers = array('Content-Type: ' . $size['mime_type']);
          return $headers;
        }
      } else return -1;
    } else return -1;
  }
}

Comments

drewish’s picture

drewish commented
Status: Needs review » Needs work

i'm interested in this but a patch would make it much easier for me to review and or commit in the limited time i can devote to the image module. please review: http://drupal.org/patch

drewish’s picture

drewish commented
Status: Needs work » Closed (duplicate)

ah, turns out i re-did this for http://drupal.org/node/165186