Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The hook gets triggered, however when it returns FILE_ENTITY_ACCESS_DENY for 'view' operation for a private file, it's not affecting users still being able to see the file.
If this hook doesn't work for file 'view' operation this can be a major flaw, because when File Entity is installed it becomes the main gatekeeper for accessing the private files as far as I understand.
Comment | File | Size | Author |
---|---|---|---|
#7 | file_entity-view-operation-of-files-is-not-controlled-by-file-entity-module-2202687-7.patch | 290 bytes | aleksijohansson |
Comments
Comment #1
almc CreditAttribution: almc commentedAt least hook_file_download() still works, but I'm still not clear about hook_file_entity_access() role in restricting 'view' access to files.
Comment #2
aleksijohansson CreditAttribution: aleksijohansson commented+1
I second the issue with hook_file_entity_access() not restricting file "view" operation. I have a node that has a file field and I've set the field to output the rendered file. The hook is executed and it returns FILE_ENTITY_ACCESS_DENY, but it doesn't have any effect and the file still being rendered.
I've tested this with the latest 2.x-dev version available today.
Comment #3
aleksijohansson CreditAttribution: aleksijohansson commentedAccess to view the file entity directly when trying to view http://site.com/file/[file:name] (assuming file/[file:name] is your file path alias) is denied with hook_file_entity_access(), but if the file entity is rendered in any other way, it doesn't work.
Comment #4
aleksijohansson CreditAttribution: aleksijohansson commentedThere is this comment in the file_entity.module:
In file listings, the process above is followed except that hook_file_entity_access() is not called on each file for performance reasons and for proper functioning of the pager system. When adding a filelisting to your module, be sure to use a dynamic query created by db_select() and add a tag of "file_entity_access". This will allow modules dealing with file access to ensure only files to which the user has access are retrieved, through the use of hook_query_TAG_alter().
But I'm not sure if that helps.
It seems that this issue is present also when just trying to prevent access to private files with only the functionality and permissions the file_entity module provides. For example: Create new content type and create file field to it. Select the field to use private file system. Set the field to show rendered file from the node display settings. Users with access to the node can view the link to the file even without the view private files permission or even without the view files permission. They can also download the file without either permission. The only thing they can't view is the file entity "page". Changed the title of the issue to match.
Comment #5
aleksijohansson CreditAttribution: aleksijohansson commentedIt seems that the correct way to do this would be for file_entity to implement hook_file_download_access_alter() since hook_file_download_access() is only grant permissive.
Comment #6
aleksijohansson CreditAttribution: aleksijohansson commentedAdded one issue that is possibly related.
Comment #7
aleksijohansson CreditAttribution: aleksijohansson commentedFile entity should return -1 when access to file download is denied by it's checks in hook_file_download(). Attached a patch.
Regarding my previous comment about hook_file_download_access_alter() and hook_file_download_access() the file entity module was already implementing hook_file_access() so the fix was done there.
Comment #8
aleksijohansson CreditAttribution: aleksijohansson commentedTesting of my own patch indicates that file entity view files and view private files permissions now work as designed when a private file is accessed directly or the file entity of the file is viewed. This still doesn't effect the file being rendered as a field of node for example, but let's make a separate issue for that.
Comment #9
dineshw CreditAttribution: dineshw as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commentedFacing same issue, Will be testing this patch!
Comment #10
joseph.olstadIn my tests with PHP 5.6.30 there was no difference in the behavior either before, or after the patch.
What version of PHP are you using?
The behavior for PHP 5.6.30 looks fine to me.
using this test I could assign a role with private file permissions and access the private file
/system/files/test_private_file.png
and when removing that role , I got "Access denied" as expected.
Which version of file_entity are you using? any patches that might be affecting the private files behavior?