Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This is for the Drupal 7 version and testing of: #1414990: Orphaned private files can not be accessed
Comment | File | Size | Author |
---|---|---|---|
#48 | 1420812-file_download-48.patch | 362 bytes | Devin Carlson |
#41 | 1420812-file_download-41.patch | 5.98 KB | Devin Carlson |
#34 | 1420812-file_download-34.patch | 5.97 KB | Devin Carlson |
#32 | 1420812-file_download-32.patch | 7.33 KB | logaritmisk |
#29 | 1420812-file_download-1.patch | 7.28 KB | redndahead |
Comments
Comment #2
Bevan CreditAttribution: Bevan commentedThis bug is probably not going to be solvable in Drupal core version 7, but maybe version 8. Perhaps the best solution is for File Entity module to implement
hook_file_download()
to apply simple access criteria in order to determine whether the file is accessible or not?Comment #3
firebird CreditAttribution: firebird commentedHow would we check if the file is accessible? Are there any permissions assigned directly to the file itself that we could check?
Comment #4
claudiu.cristeaSteps:
7.x-2.x-dev
).authenticated user
receiveview own files
,delete own files
,view own private files
,create files
,edit own files
permissions.admin/config/media/file-system
set the Default download method to Private local files served by Drupal.admin/structure/file-types/manage/image/edit
set the Allowed streams only to Private files.UID == 1
add an image (file/add
).file/[file_id]
). You can see that the image is not accessible.Comment #5
claudiu.cristeaComment #6
claudiu.cristeaSorry. Accidentally moved the status.
Comment #7
claudiu.cristeaRight now I only added a test that should fail, The test demonstrates that a user having
view own private files
permission is not able to download his own file.Comment #9
claudiu.cristeaHere's a patch with an improved test case.
Comment #10
claudiu.cristeaFixed some comments.
Comment #11
claudiu.cristeaSmall improvements. This is (really) the final one :)
Comment #12
ParisLiakos CreditAttribution: ParisLiakos commentedi like this approach.
only thing that remains is to remove all references from
file_entity_file_entity_access
to $grants, since grants wont be used nowComment #13
claudiu.cristeaLooking a little bit at permission descriptions I found:
This looks like we want to have separate permissions for view file details (aka
file/%file
) and file download (the file itself).Well, this I think it's not a good idea. We're dealing here with file entity, not other entities that are bundling files as field or property. IMO the the whole entity (file + meta + fields) is a single thing: the File Entity. If we want different access level for file and fields, just bundle a file into a node and use an appropriate module to fine tune permissions into the bundle. That's why I won't separate access for file itself from file details (meta+fields).
Comment #14
claudiu.cristeaHere's a patch according to #12.
Comment #15
claudiu.cristeaFixing some typos.
Comment #16
ParisLiakos CreditAttribution: ParisLiakos commentedThis is hard to read.
Why dont you add the message in the array as well with a key message and format the array nicely?
doesnt this trigger two notices/warnings since if owner is empty both variables ($url and $message_file_info) are not initialized?
Everything else looks good
Comment #17
claudiu.cristeaWell, the only unique thing that can act as a key is the message itself. Adding a new key is useless but we can make something in between by having the array as a vector array. Example:
No. That's how it was designed. The first test case will always create
$url
and$message_file_info
. Same the second. The others will reuse$url
and$message_file_info
already created by the file owners. The meaning is: Non-owner access is tested against files owned by somebody else.Comment #18
claudiu.cristeaReworking according to #17...
Here's only the test which should fail.
Comment #20
claudiu.cristeaHere's the patch with test.
Comment #21
claudiu.cristeaFix a small wrapping issue in phpdoc.
Comment #23
claudiu.cristea#21: file_entity-private-file-download-1420812-21.patch queued for re-testing.
Comment #25
claudiu.cristea#21: file_entity-private-file-download-1420812-21.patch queued for re-testing.
Comment #26
ParisLiakos CreditAttribution: ParisLiakos commentedYeap, thats what i actually meant..sorry for typing it the wrong way, but we got in the same page eventually, much better now
Comment #27
ParisLiakos CreditAttribution: ParisLiakos commentedSeems good to me.
Final points:
Yeah well, this is not documented in
getPrivateDownloadAccessCases()
. So if someone in the future adds a case in the top without owner it will trigger the error.Instead you should just initialize those variables before
foreach
and make sure you dont get any problems no matter whatI have to agree here. Care removing
, not for downloading files
fromt('For viewing file details, not for downloading files.'),
Besides those minors everything else looks good.
Comment #28
claudiu.cristeaMy point of view:
Anyway, I will sort that array on
owner
assuring that "owner" cases will be always on top. IMO that is superfluous but I will fix it in that way so the order will have no relevance because every time owners will create files (and$url
,$message_file_info already
).I will not touch this in this issue. The whole
hook_permission()
implementation needs some attention because:A separate ticket should be opened for
hook_permission()
refactoring.Comment #29
redndahead CreditAttribution: redndahead commentedHere is a re-roll with some changes.
Comment #30
redndahead CreditAttribution: redndahead commentedI noticed in #13 you say that we shouldn't separate download vs. view. So I guess I do that in the patch I posted. I completely understand where you are coming from and I'm trying to come up with a use case where the separation makes a difference. Even if we can't come up with a solid use case what's the downside of separating the two?
Comment #32
logaritmisk CreditAttribution: logaritmisk commentedTried to apply #29 against 7.x-dev, but faild. Updated it manually and created a new patch.
Comment #34
Devin Carlson CreditAttribution: Devin Carlson commentedUpdated patch.
Changes:
Comment #35
redndahead CreditAttribution: redndahead commentedI'm pretty sure view is if you went to file/fid and download is if you went to system/files/my_file_path/my_file_name.jpg
Comment #36
ParisLiakos CreditAttribution: ParisLiakos commentedi guess thats indeed download
Comment #37
Devin Carlson CreditAttribution: Devin Carlson commentedI believe that it's actually a bit more tricky than that. Visiting system/files/my_file_path/my_file_name.jpg with the appropriate permissions would open up the image in your browser while visiting the equivalent file/%fid/download would actually trigger the file to be downloaded to your machine.
This is the behavior provided by Drupal core through file_get_content_headers() but we could always force a file to be downloaded by returning the same headers used by file/%fid/download.
Also, I'm not sure about permissions. If we use file_entity_access('download') in hook_file_download() users must have the "view own private files" permission in order to view a private file but they could actually "download" the file if they went to the appropriate "system/files/*" path and had the more general "download own files".
Comment #38
Devin Carlson CreditAttribution: Devin Carlson commentedMarked #1919722: Files cannot be accessed by admin with file system set to private as a duplicate.
Comment #39
Devin Carlson CreditAttribution: Devin Carlson commented#34: 1420812-file_download-34.patch queued for re-testing.
Comment #41
Devin Carlson CreditAttribution: Devin Carlson commentedUpdated patch.
Comment #42
mpotter CreditAttribution: mpotter commentedI can confirm that this patch fixes the issue I have with private content not working with the current Media 2.x module. Thanks for the hard work, this has been a nasty critical bug with private files that has persisted for far too long. I'm tempted to mark it as RTBC but not sure I've tested for any other side effects. So I'll run with this patch for a week or so and then post back if all looks good. Hopefully other people can also test.
Comment #43
aaron CreditAttribution: aaron commentedThis looks great to me. I don't see any issues with it.
Comment #44
Devin Carlson CreditAttribution: Devin Carlson commentedCommitted to 7.x-2.x.
Comment #45
Devin Carlson CreditAttribution: Devin Carlson commentedMarked #1936064: Upload using file/add uploads file but does not display it / Access denied / Private upload as a duplicate.
Comment #46
treksler CreditAttribution: treksler commentednow that this is done, what should happen to http://drupal.org/node/1414990
Comment #47
claudiu.cristeaRegarding the
hook_file_entity_access()
implementation, the committed patch is not quite correct. The function returns:while there's no
$grants
defined anywhere. So we need to simply returnFILE_ENTITY_ACCESS_IGNORE
there:Also for code readability I like more the approach from #21 that wraps long lines and prevent code duplication. Using
instead of the long, unreadable and duplicated:
is preferred (IMO).
Anyway the first issue (unused
$grants
) is the reason I switched back to needs work.Comment #48
Devin Carlson CreditAttribution: Devin Carlson commentedA patch to simply return FILE_ENTITY_ACCESS_IGNORE.
Comment #49
Devin Carlson CreditAttribution: Devin Carlson commentedCommitted to 7.x-2.x.