Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The example for https://api.drupal.org/api/drupal/modules!system!system.api.php/function...
- Uses file_prepare_directory() to determine if it's managed by the current module but this function will always return false if passed a file
- Doesn't return NULL if a file is not managed by the current module because it never checks this
- If the user doesn't have the 'access user profiles' permission they will not be able to see private files managed by another module because it always thinks it manages every file
- If the user does have 'access user profiles' the 'Content-Type' header is set to NULL so files that aren't images are displayed as binary because it always sets the 'Content-Type' header to NULL
Should be something like:
function hook_file_download($uri) {
// Check if the file is controlled by the current module.
$files = file_load_multiple(array(), array('uri' => $uri));
$file = reset($files);
if ($file) {
$usage = file_usage_list($file);
if (isset($usage['user'])) {
if (user_access('access user profiles')) {
$info = image_get_info($uri);
return array('Content-Type' => $info['mime_type']);
}
else {
// Access to the file is denied.
return -1;
}
}
else {
// File is not controlled by the current module
return NULL;
}
}
}
Comments
Comment #2
yash_khandelwalTry this.
Comment #3
yash_khandelwalComment #4
Reuben Unruh CreditAttribution: Reuben Unruh commentedThanks for looking at this but I'm not looking for support. I'm saying that the d.org documentation for this hook seems wrong. The example code will always treat files as if they belong to the current module so it then applies an irrelevant permission check and a mime type that can break file downloads.