I'm using Nodeaccess on a client site and files in file fields are ignoring the node grants. If you can construct a link to the file, you can download it, regardless of your role or even whether you're logged in. My client is having kittens over this of course, which I understand, but they don't understand that I'm at wit's end about it. I set up a test site with the same setup and it works perfectly. I've pared back everything I can imagine might be conflicting with the system on the production site, but it keeps merrily serving supposedly protected files.

Does anyone have a clue what more I can do to troubleshoot or solve this?

Comments

phl3tch created an issue. See original summary.

phl3tch’s picture

phl3tch CreditAttribution: phl3tch commented

Apparently if you have IMCE installed, Drupal will pass downloads through it instead of the core functions. And it bypasses security. Joy.

vlad.pavlovic’s picture

vlad.pavlovic CreditAttribution: vlad.pavlovic as a volunteer commented
Status: Active » Closed (works as designed)

I would say that this is not a Nodeaccess bug, but is instead an issue with IMCE bypassing standard access checks on files that are uploaded.