When using a private file system, image styles and this module you are able to view all styled images (ie thumbnail) without logging in. I've got all permissions disabled for anonymous users and the images created by images styles are not accessible prior to turning on the ABT module. Once ABT is enabled anonymous users are able to see any images generated by image styles, although they cannot access the original image.

Comments

adooo’s picture

adooo commented

Hi there

Since ABT control does not go beyond node control, I don't really see how this is possible.
Can you provide short list of instructions on how to reproduce the behavior?
Thanks...

mnapier’s picture

mnapier commented

Sure
Create an image field on a content type that uses ABT for access
Set the field to private file system.
Set the field display to something other than the orignal in the display settings.
upload a image to the field and grab the URL to the styled image.
Try to view that URL while logged out (with anonymous users having no access)

Doing that they (the anonymous user) will be able to see the picture. If you disable ABT and try it again they will not be able to view it.

adooo’s picture

adooo commented
Status: Active » Postponed

Reproduced...

I also looked around and this seems to be a problem for other ppl as well, including other content access modules. Some say it's a core bug and some reported that this module helped: http://drupal.org/project/private_files_download_permission

I could write a patch for abt and do what the module above does but imho, it doesn't belong here. Let's hold of and see if other abt users require this fix and maybe then take some steps.

paulmicha’s picture

paulmicha commented

Possibly related : http://drupal.org/node/1717422#comment-6427254

adooo’s picture

adooo commented
Issue summary: View changes
Status: Postponed » Closed (works as designed)

Not ABT issue