Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.We're installing private download on a client site which already uses private upload. We've got to have them both in place for reasons of existing content and functionality.
Mostly they work fine together, but we noticed a weird effect: if the private upload folder is e.g. "private", and the private download folder is e.g. "private_download", then private upload will deny access to private download's files!
This is because the check around line 236 in private_upload_file_download() is too generous and returns false positives: it doesn't check to see if the file path begins "private/" , just if it begins "private". So files not in a directory e.g. "private_example.doc" could also be caught by this check!
A simple workaround is to set the folder names so there's no conflict, although this might not always be possible. The quickest permanent solution would be to add a "/" to the end of the $private_dir variable. I'll upload a possible candidate patch for this presently.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | private_upload-starts-with-check-too-generous-1952070-1.patch | 671 bytes | jp.stacey |
Comments
Comment #1
jp.stacey CreditAttribution: jp.stacey commentedOne-line patch attached for comment.