By skein on

I've setup a private file system and created a content type with images.

Everything works for the original image: when published user can access the image, when not he gets an access denied message.
But this works only for the original image.
But the image styles in the private files are still accessed.

How can I make those give access denied as well?

Categories: Drupal 7.x

Comments

paulmicha’s picture

paulmicha commented

I encountered it with the following modules installed : content_access, acl, and nodeaccess_nodereference. I haven't had the time to dig deeper and look for any reasons within those modules, but after having read the other similar cases in which this issue occurs (see http://drupal.org/node/1216092 and http://drupal.org/node/1438888), I found a (very evil) workaround : hacking core image module, file "modules/image/image.module", function image_style_deliver($style, $scheme), to comment out the "file_exists" test, which seems to bypass access checks ?

  // If using the private scheme, let other modules provide headers and
  // control access to the file.
  if ($scheme == 'private') {
    //if (file_exists($derivative_uri)) {
    //  file_download($scheme, file_uri_target($derivative_uri));
    //}
    //else {
      $headers = module_invoke_all('file_download', $image_uri);
      if (in_array(-1, $headers) || empty($headers)) {
        return drupal_access_denied();
      }
      if (count($headers)) {
        foreach ($headers as $name => $value) {
          drupal_add_http_header($name, $value);
        }
      }
    //}
  }

"L'imagination est une ivresse, la réalité est sa gueule de bois" - Boulet