filefield_file_download() was directly copied from upload.module, and it still includes its permission check:

if (user_access('view uploaded files')) {
  ...
}

But that one won't work if the Upload module isn't enabled, so you get lots of 'access denied' pages instead of your file downloads.

This patch just removes this access check, which makes it work at all if Upload is disabled. If users want to have the access check, they're still free to enable the Upload module and set the checkboxes in the access control admin page.

CommentFileSizeAuthor
filefield-scrap-access-control.patch1.9 KBjpetso

Comments

jpetso’s picture

jpetso commented
Status: Active » Needs review

Oops, forgot to change the status appropriately: this is an issue *with* patch.

ZuluWarrior’s picture

ZuluWarrior commented

Hi there,

Just run into this bug.

However, the solution recommended is not the best solution, as it stops the permission check and if drupal is set to private download method can offer a way to circumvent this check. A better fix would be to add the hook_perm hook (shouldn't need hook_access) into the filefield.module.

I'ds suggest adding the following code, which will add the permissions to drupal, but only if the upload module is not present...

/**
 * Implementation of hook_perm().
 */
function filefield_perm() {
	if (!function_exists('upload_perm')) {
	  return array('upload files', 'view uploaded files');
	}
}

I've made this patch to my version of filefield, and although I've only tested on php/mysql/drupal on a windows box, it is working fine. I have control over who can view and upload files and without the upload module.

Hope this helps!!!

Regards,

The ZuluWarrior

scatteredbrainV’s picture

scatteredbrainV commented
Title: File download permission depends on Upload module » Filefield with Attachment module on
Version: 6.x-3.x-dev » 4.7.x-1.x-dev

I have the attachment module on on my websites, which, together with Filemanager, forces me to disable the Upload module.
Is there a way to make the Filefield module work correctly even with the Upload switched off?

jpetso’s picture

jpetso commented
Title: Filefield with Attachment module on » File download permission depends on Upload module

@valeria78:

1. Do not change the issue title without a good reason. If you change it, it's changed for the whole thread, not only for your comment.
2. Yes, there is a way to make it work. Actually, two ways: my "just-lose-this-permission" patch, and ZuluWarrior's "optionally-introduce-the-permission" explanation. Use any of them, and it will most likely work the way you imagined.

jpetso’s picture

jpetso commented
Version: 4.7.x-1.x-dev » 6.x-3.x-dev

Er, another status switched back to the original. Just to say it again, hijacking other people's issues is *evil*.

scatteredbrainV’s picture

scatteredbrainV commented

I'm very sorry for the troubles caused. I did not do that intentionally.
Thank you for the answers.

Again, I am very very sorry.

jpetso’s picture

jpetso commented

Hey, it's no problem, everything was easily reverted. Just take care to avoid it next time. Hope that one of the solutions fits your needs :)

scatteredbrainV’s picture

scatteredbrainV commented

Actually, no.
I tried ZuluWarrior solution, but I still have that same problem. When I click on the link created by the filefield module, the whole thing gets stuck and I have to restart the browser (Firefox).

jpetso’s picture

jpetso commented
Status: Needs review » Fixed

Fixed in HEAD. I committed a similar solution to the one that dopry did for imagefield recently, so there's now a new "view filefield uploads" permission. Remember to enable this permission for all the roles that you want to be able to access uploaded files.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)