I'm running into an access denied page when downloading files and I could really use some help figuring out why.

I have commerce file installed to sell videos and audio clips that are stored on s3. Upon checkout of product that contains a commerce file, the commerce license is created and set to active for the user. The files show up under the user's account but the link /file/48015/download?token=7MsF-JksFFwCMwFrUnimyo35Are6eWVptJbrf8Bp8Kw does not work and an access denied page is show, even for user 1. The link file/48015 brings up a blank white page.

I've tried adding this patch but with no luck. https://www.drupal.org/node/2273973

I'm running Drupal - 7.28 and these are some of the modules I'm using.
Commerce 7.x-1.9
Commerce Backoffice 7.x-1.4
Commerce File 7.x-2.0-beta3
Commerce License 7.x-1.3
Amazon S3 7.x-1.0 with patch https://www.drupal.org/node/1277152#comment-8771475
AWS SDK for PHP 7.x-5.4
File Field Sources 7.x-1.9
Remote File Source 7.x-1.0
File Entity 7.x-2.0-alpha3+30-dev
Media 7.x-2.0-alpha3
Media Internet Sources 7.x-2.0-alpha3
IMCE 7.x-1.9
Secure Pages 7.x-1.0-beta2
LoginToboggan 7.x-1.4

Thanks!

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

justafish’s picture

Project: AmazonS3 » Commerce File
bluewallmedia’s picture

@justafish Hello :) I noticed you switched this from Amazons3 to Commerce File. Are you experiencing a similar issue or do you have an idea why this might be happening. I plan to spend some more time debugging this issue later this afternoon. I'll update the thread with new insight. Has anyone else experienced this lately?

Thanks!

bluewallmedia’s picture

Version: 7.x-1.0 » 7.x-2.0-beta3
brodiebrodie’s picture

I have the same Issue with commerce license and commerce file . I have applied the patch from this issue https://www.drupal.org/node/2075693 and still no joy. any help would be most appreciated !

bojanz’s picture

The only known cause of "access denied" is file entity 1.x (this module only works with file_entity 2.x), which is documented in #2183975: Commerce File links to a non-existent file/%file/download when used with File Entity.
bluewallmedia says they're using file_entity 2.x, but brodiebrodie didn't confirm that.

brodiebrodie’s picture

Apologies for the lack of info.
I am using file entity 7.x-2.0-alpha3+32-dev

bluewallmedia’s picture

We have been all over this issue. Here is some more information. We have two sites running the same code as mentioned at the start of this ticket. One works, One doesn't.

Server 1 began with Media 1.x , File Entity 1.x , Commerce File 1.x . We updated these with some fuss, but we ultimately got it to work. Somehow somewhere, this stopped working.

Server 2 began with Media 2.x , File Entity 2.x , Commerce File 2.x . This seems to be working. We even took a file from Server 1's S3 bucket, pointed it to Server 2's store, purchased the file and downloaded the file.

Both Servers are running Ubuntu 10.04 but Server 1 is running PHP5-curl version 5.3.2-1ubuntu4.26 and Server 2 is running PHP5-curl version 5.3.2-1ubuntu4.24. Could this be an issue ? I'm asking myself if this broke when I updated Curl a few weeks ago on Server 1. I postulate this because I recently ran into an issue in another software application (not drupal) where updating CURL broke an otherwise stable connection through AWS PHAR and custom PHP.

Happy to be as verbose as possible as we are having a heck of a time solving this issue on our end. What other info could I supply to help pin this issue down?

Thanks much for the help :) ~ peter

EDIT *** I should clarify we are using Amazon s3 sdk-1.6.2 in libraries for our Drupal sites.

bluewallmedia’s picture

Holy Cow :) Our issue was just fixed on Server 1... When we updated to the latest file_entity ... file_entity 7.x-2.0-alpha3.

This is curious and a little confusing because Drupal notified us about an upgrade to file_entity 7.x-2.0-alpha3 which Drupal also told us we had installed. The module's info file says it was updated in 2013. Not sure why we got the notification to update this again.

Anyway updating our current file_entity 7.x-2.0-alpha3 to file_entity 7.x-2.0-alpha3 seemed to do the trick for our issue. I'll update this thread as soon as I figure out exactly what fixed for us as the upgrade from file_entity 7.x-2.0-alpha3 to file_entity 7.x-2.0-alpha3 makes no sense to me at all. Still it started to work. Perhaps it was just solar flares :-)

brodiebrodie’s picture

I have reverted from file_entity 7.x-2.0-alpha3+32-dev to file_entity 7.x-2.0-alpha3 as in comment #8 and all appears to be working !

deggertsen’s picture

dancastellon’s picture

I removed the if statement within commerce_file_menu_alter() on line 52. That seemed to fix the issue for me.

sanduhrs’s picture

Title: Access Denied when using with Commerce File » Access token generation changed in file_entity module
Version: 7.x-2.0-beta3 » 7.x-2.x-dev
FileSize
693 bytes

Seems to be working with file_entity-7.x-2.0-alpha3 while file_entity-7.x-2.0-beta1 gives access denied.
Digging a bit deeper it appears the download token generation has changed:

alpha3:

function file_entity_get_download_token($file) {
  $identifier = !empty($GLOBALS['user']->uid) ? session_id() : ip_address();
  return drupal_hmac_base64("file/$file->fid/download", $identifier . drupal_get_private_key() . drupal_get_hash_salt());
}

beta1:

function file_entity_get_download_token($file) {
  // Return the first eight characters.
  return substr(drupal_hmac_base64("file/$file->fid/download:" . $file->uri, drupal_get_private_key() . drupal_get_hash_salt()), 0, 8);
}

commerce_file uses:

/**
 * Generate a file download CSRF token.
 *
 * This is essentially a duplicate of drupal_get_token, that attempts to still
 * work if the user is anonymous, by using ip_address() as the identifier
 * rather than session_id().
 *
 * Copy of file_entity_get_download_token().
 *
 * @param object $file
 *   A file entity object.
 *
 * @return string
 *   A CSRF token string.
 */
function commerce_file_get_download_token($file) {
  $identifier = !empty($GLOBALS['user']->uid) ? $GLOBALS['user']->sid : ip_address();
  return drupal_hmac_base64("file/$file->fid/download", $identifier . drupal_get_private_key() . drupal_get_hash_salt());
}

Which per comment is a "Copy of file_entity_get_download_token".
So I think we should keep up to date with the changes in file_entity module?

Patch is attached.

sanduhrs’s picture

Status: Active » Needs review
deggertsen’s picture

@sanduhrs, good work. I'll try to test as soon as I can, but it looks like you've found the problem and determined the correct solution.

deggertsen’s picture

Got this error on my site after applying the patch:

CommerceLicenseException: Attempted to instantiate a broken license type plugin in CommerceLicenseBroken->__construct() (line 574 of /sites/all/modules/commerce_license/includes/plugins/license_type/base.inc).

deggertsen’s picture

FileSize
1.98 KB

Ok, seeing as you found the problem being the file_entity_get_download_token function. I noticed that in the new function there is no identifier and thus no need to change the identifier in the function. So I simply changed out all the commerce_file_get_download_token function references with file_entity_get_download_token function references and now the module is working as expected. I'm not sure if there are any down sides to what I have done here so this certainly needs review, but until then it is working and I will be using this patch.

dxx’s picture

Hi,

this patch (#16) working good and fix this issue, but all links are a short token "/file/101/download?token=wplMlMpq" before: "/file/101/download?token=8uzKiylmPkoohCMDGRrFKfWUIzI_5x-aPoy7fSoafVI". This is the desired result?

file_entity: 7.x-2.0-beta1 ( 2014-10-04)
commerce_file: 7.x-2.0-beta3 (2014-06-04)

sanduhrs’s picture

Yes it is.

sanduhrs’s picture

Anoyone up for a review?

sanduhrs’s picture

In reply to # 16 :
As far as I understood the code, the commerce_file_get_download_token() function exists to prevent a hard dependency on the file_entity module. If we remove the function we introduce the dependency on file_entity module, while duplicating it allows commerce_file to be used without it.

@deggertsen
I didn't experience any exceptions and I don't see why your patch should make any difference in that regard.
Could you trace down why the exception appears?

At the moment, I'd rather stick with the patch in #12 so commerce_file can be used standalone without file_entity module.
Review anyone?

dxx’s picture

Oup's! I have patched with the #16! I'm trying now with your patch (#12).

dxx’s picture

Ok, I confirm that working with your patch (#12). I able to download files in my account and after checkout process (if order paid). Tested into anonymous user, registered and administrator.

sanduhrs’s picture

Thanks for the feedback.
But this won't go any further until you execute step 4. in the review process.
See https://www.drupal.org/patch/review#review
Thanks.

dxx’s picture

Ok ;) but this is not the author of the message to change the status?

dxx’s picture

Status: Needs review » Reviewed & tested by the community
sanduhrs’s picture

Priority: Normal » Critical

Thanks for the review!

Bumping this to critical as currently the latest version of commerce_file and file_entity are incompatible.

dxx’s picture

Yes, you are right!

BeWhy’s picture

I have:

  • updated to file_entity-7.x-2.0-beta1
  • applied the patch in #12

and now things are working ....

so I've got that going for me which is nice.

bojanz’s picture

Status: Reviewed & tested by the community » Fixed

Updated the docblock of the function to match the new file_entity version, and committed #12. Thanks!

  • bojanz committed ba7104f on 7.x-2.x authored by sanduhrs
    Issue #2302897 by sanduhrs, deggertsen: Access token generation changed...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

svn7svn’s picture

This seems to be an issue again after recent updates. Is anyone else getting access denied to purchased files?

svn7svn’s picture

Status: Closed (fixed) » Needs review
deggertsen’s picture

@svn7svn we are on the 1.x version, but not 2.x.

sanduhrs’s picture

Status: Needs review » Closed (fixed)

The code dint'd change since then.
Just checked with latest 7.x-2.x branches.

And you can do so yourself:
http://cgit.drupalcode.org/file_entity/tree/file_entity.module#n2591
http://cgit.drupalcode.org/commerce_file/tree/commerce_file.module?h=7.x...

So as long as you can't provide more detail, this issue is still fixed.
Please open a new issue if you can, though.

svn7svn’s picture

I would love to provide more detail if i knew what to provide.

This issue persists for us. We've actually moved all of our purchased files to Vimeo because of it.

AllanDummer’s picture

Also ran into the same issue.

Commerce : 7.x-1.13
Commerce file : 7.x.2.0-beta3
Filer Entity (Viewable files): 7.x-2.0-beta2

Installed patch #12 and it now works. Sorry I just don't have the time now to go digging but thought I'll mention it here.

nrosquist’s picture

Ran into same issue as well.

Commerce: 7.x-1.13
Commerce file: 7.x.2.0-beta3
File Entity: 7.x-2.0-beta3

Patch 12 worked for me too.

shubhraprakash’s picture

I think the below patch will save us future worries of changes in file_entity module and can fall back to commerce_file implementation when file_entity is not installed.

Index: commerce_file.module
===================================================================
--- commerce_file.module	(revision 1)
+++ commerce_file.module	(revision 2)
@@ -49,7 +49,7 @@
   // Added via hook_menu_alter() in order to override the same path
   // when provided by file_download_count (since that version doesn't force
   // the file to be downloaded).
-  if (!module_exists('file_entity')) {
+  if (empty($items['file/%file/download'])) {
     $items['file/%file/download'] = array(
       'page callback' => 'commerce_file_download_page',
       'page arguments' => array(1),
@@ -874,6 +874,15 @@
  *   A CSRF token string.
  */
 function commerce_file_get_download_token($file) {
-  $identifier = !empty($GLOBALS['user']->uid) ? $GLOBALS['user']->sid : ip_address();
-  return drupal_hmac_base64("file/$file->fid/download", $identifier . drupal_get_private_key() . drupal_get_hash_salt());
+  if(module_exists('file_entity'))
+  {
+	  $download_token = file_entity_get_download_token($file);
+  }
+  else
+  {
+	  $identifier = !empty($GLOBALS['user']->uid) ? $GLOBALS['user']->sid : ip_address();
+	  $download_token = drupal_hmac_base64("file/$file->fid/download", $identifier . drupal_get_private_key() . drupal_get_hash_salt());	  
+  }
+  
+  return $download_token;
 }
nelslynn’s picture

Ran into this issue to and had to spend several hour tracking this down. PLEASE, can we commit #39 or #12? Either patch makes "Access Denied" go away!!

Commerce: 7.x-1.13
Commerce file: 7.x.2.0-beta3
File Entity: 7.x-2.0-beta3

nelslynn’s picture

Why is this issue closed? #12 patch is NOT applied to 7.x-2.0-beta3 or the dev version: 7.x-2.x-dev

I still get access denied without using #12 or #39.

sanduhrs’s picture

This has been committed three years ago: http://cgit.drupalcode.org/commerce_file/tree/commerce_file.module?h=7.x...
You find it in the dev branch 7.x-2.x:

b0c083600013360fadd8dfeaefcdd6cc797c245e (HEAD -> 7.x-2.x, origin/7.x-2.x) Issue #2219835 by Tyler Pepper: Commerce File Download Limit Hook - Commerce File Bulk
ba7104fbf10eb9df6b58728f295082a72b4f1dcb Issue #2302897 by sanduhrs, deggertsen: Access token generation changed in file_entity module
1c88f46b0a7b2f0ed99c5aa743a71bfb20bb0be9 Issue #2295465 by torgosPizza: Added Option to show file size in themed files list [Patch].
279086dfaa3f59787fbe582c099e54db0598921e (tag: 7.x-2.0-beta3) Issue #2273427 by Tyler Pepper: Fixed Download token doesn't match session token on HTTPS.
Chris Matthews’s picture

Would it be possible to roll commit ba7104f, plus the two others listed below into a 7.x-2.0-beta4 release?

https://cgit.drupalcode.org/commerce_file/commit/?id=1c88f46

https://cgit.drupalcode.org/commerce_file/commit/?id=b0c0836