I'm using Nodeaccess on a client site and files in file fields are ignoring the node grants. If you can construct a link to the file, you can download it, regardless of your role or even whether you're logged in. My client is having kittens over this of course, which I understand, but they don't understand that I'm at wit's end about it. I set up a test site with the same setup and it works perfectly. I've pared back everything I can imagine might be conflicting with the system on the production site, but it keeps merrily serving supposedly protected files.
Does anyone have a clue what more I can do to troubleshoot or solve this?
Comments
Comment #2
phl3tch CreditAttribution: phl3tch commentedApparently if you have IMCE installed, Drupal will pass downloads through it instead of the core functions. And it bypasses security. Joy.
Comment #3
vlad.pavlovic CreditAttribution: vlad.pavlovic as a volunteer commentedI would say that this is not a Nodeaccess bug, but is instead an issue with IMCE bypassing standard access checks on files that are uploaded.