Drupal Association members fund grants that make connections all over the world.
Right now in filefield_validate_size(), we have a special check that allows user #1 to have an unlimited file quota. This is pretty dumb on a lot of accounts:
- We eliminated almost all user #1 checks in Drupal 7, it's bizarre that we still have this one.
- The help text for the user (as provided by filefield_validate_size_help()) still indicates that there is a file size limit, but it's not enforced for user #1.
- This makes testing while logged in as user #1 quite confusing. I literally had started drafting a somewhat panicked security team e-mail because I thought file size validation had been broken in the most recent D7 release ("because I know it was working last week", so I thought).
- If there are any user file quotas on a site (and there usually aren't) user #1 will be in the admin-role which will likely have an unlimited quota.
I'm sure this check is in place because it also exists in the D6 FileField, from which I'll be more than happy to remove it there also. It's also worth noting that no where in core do we actually utilize the user-limit check anyway, so this is even less likely to have an impact on any existing sites.
PASSED: [[SimpleTest]]: [MySQL] 40,897 pass(es). View
|#26||file-validate-size-1468210-26.patch||2.54 KB||Devin Carlson|
FAILED: [[SimpleTest]]: [MySQL] 40,928 pass(es), 1 fail(s), and 0 exception(s). View
PASSED: [[SimpleTest]]: [MySQL] 55,888 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 41,436 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 41,379 pass(es). View