Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
How to reproduce the bug:
- Create a custom content type with a file field
- Password protect this content type
- Have a user role with "bypass password for view"
- Try to display the node with this user (this will work fine)
- Try to display the node's file attachment with this user (this will return access denied error)
How I fixed it:
I fixed it on my local drupal by adding this code snippet, line 792:
if (user_access('edit protected content')) {
return;
}
Let me know if you want me to pull request, and how to do it, i'd be glad to do it.
Comment | File | Size | Author |
---|---|---|---|
#2 | protected_node-file_attach_bypass_view-2823734-2.patch | 4.89 KB | Grimreaper |
Comments
Comment #2
GrimreaperHello,
Thanks for reporting the issue.
I see two problems with your issue.
In the steps to reproduce the bug. The file field should use the private file system.
If it is a problem with the bypass password for view. It should be this permission that should be tested and not the bypass password for edit action.
Here is a patch that fix the bug and add an automated test for that. Please test it and if it ok I will merge it.
Thanks for the review.
Comment #4
GrimreaperThis is now merged.