I have a content type with a file field that has been set to "download link".
This works fine for users who are logged in, but anonymous users get the access denied page. Accessing the raw file URL is possible for anonymous users though. I went through all the permissions for anonymous users and all the relevant ones were enabled. After that I just enabled all permissions for anonymous users just to check and that did not work either.
The formatter makes the link become something like this: http://example.com/file/980/download?token=OBVqG5D1va06NDH2_BcgF0vqwVhhN...
Another weird thing is that this issue is not consistently repeatable. I have tested the download link across a number of PCs and it works for some and not for others. I cannot pinpoint the common denominator for those PCs whereby the download links did not work.
Comment | File | Size | Author |
---|---|---|---|
#9 | interdiff-2215247-6-9.txt | 1.23 KB | Darren Oh |
#9 | file_entity-anonymous-token-2215247-8.patch | 2.31 KB | Darren Oh |
Comments
Comment #1
csedax90 CreditAttribution: csedax90 commentedsame problem and actually no solutions... please someone check this bug...
Comment #2
TaraRowell CreditAttribution: TaraRowell commentedI am having the identical issue right now - please help!
update:
It seems that the failure originates from here in the the file_entity.pages.inc file:
When I do this I get nothing back:
Comment #3
TaraRowell CreditAttribution: TaraRowell commentedupdate #2
Adding this to settings.php seems to be making an impact:
Maybe the variable is just not set anywhere in the module?
Comment #4
Darren Ohfile_entity_access() allowed anonymous users to view files but not download them. Attached patch applies view permissions to download as well.
Comment #6
Dave Reid@Darren Oh: This is why there are permissions for downloading the files.
The real problem here is our use of ip_address() for the anonymous token. I realized why do we even care if anonymous users share a download like to a file? If one anonymous user can download, they all should pretty much be able to. The condition we really care about is logged-in users sharing download links between other users than may not have access to those files (or anonymous users). This case should be covered already.
So here's my fix to the token generation, which is to remove the identifier for anonymous users, and add the filesize and filemtime, which means the token would be regenerated for anonymous users only if a file has changed.
Comment #8
Darren OhTesting requires the token to be generated from a plain string.
Comment #9
Darren OhFixed test to use modification time and file size.
Comment #10
TaraRowell CreditAttribution: TaraRowell commentedThank you @Darren Oh! We are testing this patch on a live site now and I will report back.
Comment #11
Anonymous (not verified) CreditAttribution: Anonymous commentedThanks @Darren Oh . @TaraRowell any news?
Comment #12
Proteo CreditAttribution: Proteo commentedI've applied the patch from #9 to a live site a and it absolutely fixed the problem, many thanks @Darren Oh.
Comment #13
Anonymous (not verified) CreditAttribution: Anonymous commentedThanks @Proteo, I'm applying it now
Comment #14
TaraRowell CreditAttribution: TaraRowell commentedSorry for the delay - yes - it works just great!
Comment #15
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #16
Darren OhSet correct status.
Comment #18
aaron CreditAttribution: aaron commentedCommitted to http://drupalcode.org/project/file_entity.git/commit/d23fcf8.
Comment #20
stephenplatz CreditAttribution: stephenplatz commentedMy field is simply not showing for annon users, even after applying #9. I wonder if this issue is related, checked permissions but still can't get the field to render if I'm not logged-in.
Comment #23
museumboy CreditAttribution: museumboy commentedSolution #2 works for me, but I worry that it leaves some giant security hole in my drupal install.
Comment #24
Dave ReidComment #25
huijing CreditAttribution: huijing commentedI can verify that the latest version of file_entity with this patch works.
Comment #26
huijing CreditAttribution: huijing commentedComment #27
tomdisher CreditAttribution: tomdisher commentedI don't see the changes in the latest 7.x 2.x-dev on 20141203.
Edit: Cancel that, I found this issue: https://www.drupal.org/node/2267483