Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I came across a bug in the following use case:
- Using Field Permissions to configure access by role to file fields
- File field set to use private file system
Access to view the file field works as expected, but users did not have download access. Users could view the file link, but when they clicked on it they were taken to the access denied page. The correct behavior would be that users with permission to view the field also have permission to open or download the file content of the field.
I believe this is a Drupal Core issue documented here: https://www.drupal.org/node/1440312. As of Drupal 7.32 this is an issue, and I believe it has been an issue since 7.1something.
I wrote a quick module that uses hook_file_download_access_alter to grant download access if the user has view access as set through the Field Permissions module (see attached zip). This module fixes my use case - granting download permission when custom Field Permissions grant view permission. I'm using Field Permissions 7.x-1.0-beta2 and Drupal Core 7.32.
I just wanted to share in case anyone else has this specific issue when using Field Permissions. Since the underlying issue seems to be in core, I didn't think a Field Permissions patch was the way to go.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | field_permissions_private_file_fix1.1.zip | 1.85 KB | anschultz |
Comments
Comment #1
anschultz CreditAttribution: anschultz commentedComment #2
anschultz CreditAttribution: anschultz commentedMade a change to the field_permissions_field_access function call - found it was throwing an error.
Comment #3
Anisorf CreditAttribution: Anisorf commentedDear anschultz,
First of all, thank you for your work and sharing this module. Seems that I'm having the same problem as you. The user with given role can see that there is some resource and a link to it (for example a PDF file), but on clicking to open it he gets "Access Denied" "You are not authorized to access this page".
I'm using Field Permissions 7.x-1.0-beta2 and Drupal Core 7.34. Installing and enabling your module does not resolve the problem.
P.S. I also use Content Access 7.x-1.2-beta2 and maybe this is creating further conflicts, but if I recall well time ago everything was working fine.
Thanks in advance for any suggestions you can gave me.
Anisorf.
Comment #4
jamesfk CreditAttribution: jamesfk at Website Express Ltd. commentedHi Anisorf,
We're also seeing a problem with recent Drupal 7 versions and private files using just content access. I haven't seen any other reports filed, so have put one under content access for now:
https://www.drupal.org/node/2682635
Did you manage to resolve your issue in the end? I'm going to upgrade the site one Drupal 7 version at a time to see which exact version brought in the issue - as we jumped a few in one go.
All the best,
James
Comment #5
mariacha1 CreditAttribution: mariacha1 at ThinkShout commentedThis is a problem with the file's (entity level) permission, not the field permission. Field permissions don't change the access a person might have to the content on the page linked to from the field.
As support for D7 draws to a close, the scope for D7 field permissions isn't likely to be expanding any time soon, and given the age of this issue, I'm closing.