Anonymous User can't upload

We could just start session when plupload loads for anonymous users too. I tested and it works for me...

What do you think?

I tried passing $skip_anonymous to TRUE value while calling api drupal_valid_token in plupload_upload_access. This skips the check for validating token for anonymous users. So in plupload.module changing

function plupload_upload_access() {
  foreach(func_get_args() as $permission) {
    if (!user_access($permission)) {
      return FALSE;
    }
  }
  return !empty($_REQUEST['plupload_token']) && drupal_valid_token($_REQUEST['plupload_token'], 'plupload-handle-uploads');
}

to

function plupload_upload_access() {
  foreach(func_get_args() as $permission) {
    if (!user_access($permission)) {
      return FALSE;
    }
  }
  return !empty($_REQUEST['plupload_token']) && drupal_valid_token($_REQUEST['plupload_token'], 'plupload-handle-uploads', TRUE);
}

is working for me. Please try it.

That approach looks better, as we do not create session for anonymous users.

I was thinking if we would create another permission like "use plupload" and add it to upload handler menu item. This would allow admin to fine-control access settings. I think allowing every anonymous user to upload files by default is not really a good idea.

Switching to needs work, as we need to prepare patch with your solution.

I was thinking about this and I realized that this solution actually creates a security issue. Since it does not check tokens for anonymous users it allows them to upload things on server even when they are not supposed to. That's not OK. I think we have to create session and check for token anyway.

Permission itself would not fix this. I also realized that we should not create permission as this is an API module. It should be a responsibility of modules implementing this.

Token check is used to determine if user really loaded plupload on a page or it is just trying to push a file on server using that menu callback. This is similar approach which is used in drupal Form API. At least as far as I understand this.

The point here is, that if you check security token even for anonymous users you know at least three things:

- plupload element was actually loaded on client side before upload,
- plupload element is part of some form,
- plupload is a part of some "bigger story", which will (hopefully) validate upload, check file extension, size, ...

That means that we rely on a module, that uses Plupload, to check that upload beeing secure.

If we skip that token, we basically open that menu path to everyone. That means that literally anyone can upload *anything* without even loading the form. Uploaded files will not be validated or checked at all. Not good IMO.

Yes, that is your specific use case. In that case you decided, that you want to open that form to anonymous users. If we commit your patch, we open upload URL worldwide for *all* sites that use Plupload. Even if they do not want to do that.

What is the problem with session? Is there any reason why session does not fit your use-case?

It seems like #process is a better place for this to be done.

Commited.