Add token protection to file/%file/download callback?

Related issue that could influence this one - #2003216: Support file/%/download/%disposition-type

Hi,
I'm using 7.x-2.0-unstable7 (but was trying 7.x-2.x-dev from 2013-Jul-18 as well) and I have a really annoying issue related with using token. It happens only for anonymous user when goes to download link (like: http://example.com/file/13301/download?token=-Jyb62es4dDrmNGcgfDXWRDmSDi...) and it gives "Access Denied" page. Reason of that is dynamic session id for anonymous user. It fails in file_entity.pages.inc on line #40.

    if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], "file/$file->fid/download")) {
      return MENU_ACCESS_DENIED;
    }

So drupal_valid_token($_GET['token'], "file/$file->fid/download") for anonymous user always give FALSE because session ids on previous page (where was generated token for download link) and current page (where is checking of token) are different. I hope it makes sense.

Did I miss anything? Any suggestion?

This line in class views_handler_field_file_link_download is problematic:

$this->options['alter'] += $uri['options']

In my view I get the same token for each download link because the concatenation operator does not overwrite the previous options['alter']['query']['token'] value.
Will open a new issue.

The patch that was committed is problematic. For example:

1. User inserts a link to a public file download with a token into a node body.
2. Another user with correct permissions visits that node, and follows the link with the token.
3. User gets accessed denied when they follow the link to download, even though they should have permission to download the file, because the token is invalid *for them*.

Anybody who uses CKeditor Link File, with the current method will run into this problem.

This restrains file downloads using /file/fid/download?token=xxx method to ONLY be allowed for the user who originally uploaded the file. This seems extreme. In fact, it essentially overrides all of the config that is in place for file download permissions, and also any field level permissions on attachment fields.

In addition, access to the file without the token (file/fid/download) also results in access denied after this patch - regardless of the private/public status of the file and the permissions of the users.

This patch needs to be reworked unless we want to completely work against Drupal's permission architecture.

Hi Dave,

This is not an issue with text formats. It does not matter which text format configuration is used when the node body is saved.

The reason the tokenized download links don't work is because the tokens are generated based on user-specific information. Therefore, other users who try and follow a download link another user has posted will always get access denied, regardless of whether or not they have permissions to download the file.

In the current stable release, the token is generated with drupal_get_token():

https://api.drupal.org/api/drupal/includes%21common.inc/function/drupal_...

"The generated token is based on the session ID of the current user. Normally, anonymous users do not have a session, so the generated token will be different on every page request. "

Later, there was an attempt to fix this problem for anon users, but it did not address the root cause I explain above. The token is still generated using the session ID. This means only the user who generates the download token will ever be able to use it.

https://drupal.org/files/2062663-fix-the-token-on-callback-for-anonymous...

Would you like me to file a separate issue, or keep it here?