Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Even when a managed file element's #uri_scheme is set to private the temp file is available to anonymous user
Steps to reproduce
- As an anonymous user
- Goto /form/test-element-managed-file
- Upload a text file
- Click link to temp file
Proposed resolution
Block anonymous users from accessing temporary private files.
Remaining tasks
- Remove links from file upload widget to anonymous file
- Block access to anonymous file.
- Write tests
Comment | File | Size | Author |
---|---|---|---|
#2 | private_temp_files_are-2842640-2.patch | 6.36 KB | jrockowitz |
|
Comments
Comment #2
jrockowitz CreditAttribution: jrockowitz as a volunteer commentedComment #3
jrockowitz CreditAttribution: jrockowitz as a volunteer commentedComment #5
jrockowitz CreditAttribution: jrockowitz as a volunteer commented