First of all, thanks for this module. We really rely on it.

We've got a site with a complex permissions model: revisioning and Domain Access are already installed, and we're about to install TAC Lite. Even with Module Grants in place, we're getting node_access('view') returning TRUE, even when access to the node page itself is denied. So the file is being served, although its node shows a 403.

Looking into the menu router for "node/%", it turns out that its access callback is _revisioning_view_edit_access_callback(). While I haven't dug into quite how that callback manages to get the three permissions models to work together - especially given that Module Grants really ought to have that access callback - if I load the menu router item in filefield_file_download(), and use its access callback rather than node_access(), then everything works!

I'll attach a patch presently for discussion.

Members fund testing for the Drupal project. Drupal Association Learn more


jp.stacey’s picture

Status: Active » Needs work
967 bytes

Patch attached. I appreciate this is a complex case, so I'd love feedback.

victoriachan’s picture

Adapted the patch for filefield 6.x-3.12