View operation of files is not controlled by "view files" or "view private files" permissions

+1

I second the issue with hook_file_entity_access() not restricting file "view" operation. I have a node that has a file field and I've set the field to output the rendered file. The hook is executed and it returns FILE_ENTITY_ACCESS_DENY, but it doesn't have any effect and the file still being rendered.

I've tested this with the latest 2.x-dev version available today.

Access to view the file entity directly when trying to view http://site.com/file/[file:name] (assuming file/[file:name] is your file path alias) is denied with hook_file_entity_access(), but if the file entity is rendered in any other way, it doesn't work.

There is this comment in the file_entity.module:

In file listings, the process above is followed except that hook_file_entity_access() is not called on each file for performance reasons and for proper functioning of the pager system. When adding a filelisting to your module, be sure to use a dynamic query created by db_select() and add a tag of "file_entity_access". This will allow modules dealing with file access to ensure only files to which the user has access are retrieved, through the use of hook_query_TAG_alter().

But I'm not sure if that helps.

It seems that this issue is present also when just trying to prevent access to private files with only the functionality and permissions the file_entity module provides. For example: Create new content type and create file field to it. Select the field to use private file system. Set the field to show rendered file from the node display settings. Users with access to the node can view the link to the file even without the view private files permission or even without the view files permission. They can also download the file without either permission. The only thing they can't view is the file entity "page". Changed the title of the issue to match.

It seems that the correct way to do this would be for file_entity to implement hook_file_download_access_alter() since hook_file_download_access() is only grant permissive.

Added one issue that is possibly related.

File entity should return -1 when access to file download is denied by it's checks in hook_file_download(). Attached a patch.

Regarding my previous comment about hook_file_download_access_alter() and hook_file_download_access() the file entity module was already implementing hook_file_access() so the fix was done there.

Testing of my own patch indicates that file entity view files and view private files permissions now work as designed when a private file is accessed directly or the file entity of the file is viewed. This still doesn't effect the file being rendered as a field of node for example, but let's make a separate issue for that.

Facing same issue, Will be testing this patch!

In my tests with PHP 5.6.30 there was no difference in the behavior either before, or after the patch.

What version of PHP are you using?

The behavior for PHP 5.6.30 looks fine to me.

using this test I could assign a role with private file permissions and access the private file
/system/files/test_private_file.png

and when removing that role , I got "Access denied" as expected.

Which version of file_entity are you using? any patches that might be affecting the private files behavior?