Trying to get this module to work unsuccessfully. Different combinations of configuration gives same result (having no directory configured and giving role "Bypass Private files download permission" and removing this permission and configuring directory path "/" for all private files).

Trying to download file returns 403. Wachdog says:

Type: pfdp
User: URESNAME
Message: User 36 (URESNAME, URESNAME) granted permission to download uri "private://FILEPATH/FILENAME".

then immediately after

Type: access denied
User: URESNAME
Message: /FILEPATH/FILENAME
CommentFileSizeAuthor
#9 access_denied-2918393-9.patch3.2 KBCoops_

Comments

mansspams created an issue. See original summary.

zanonmark’s picture

zanonmark commented
Assigned: Unassigned » zanonmark
Status: Active » Postponed (maintainer needs more info)

Hi, could you please confirm you cleared the cache after configuring the module?

Also, could you please report a full log, including real path and file names?

Thanks,
MZ

weseze’s picture

weseze commented

I'm having the same issue...

Configured a directory for registered users only. Access granted by the module, immediately followed by an access denied...

UPDATE: I fixed this by increasing the modules weight in core.extensions.yml

zanonmark’s picture

zanonmark commented
Status: Postponed (maintainer needs more info) » Active
zanonmark’s picture

zanonmark commented
Status: Active » Postponed (maintainer needs more info)

Thanks for your report.

@weseze: Could you please post your working configuration?

Thanks,
MZ

weseze’s picture

weseze commented

I've edited our entire setup out, but you should still see the basic principle below:
(core.extensions.yml)

module:
  (contrib modules goe here): 0
  pfdp: 10
  (other contrib modules): 10
theme:
  stable: 0
  classy: 0
  seven: 0
  (...)
profile: ...
adaddinsane’s picture

adaddinsane
him/he/his
commented

Yup, this isn't working.

Running on PHP7.1, Drupal 8.6, It claims the file has been approved - and then it hasn't.

This was a file attached to a profile and I know Drupal does a parent access check as well.

weseze’s picture

weseze commented
Priority: Normal » Critical
Status: Postponed (maintainer needs more info) » Active

This module is fundamentally broken... (unless we are all missing something)

I've tried all possible config options that I can think of and there is always something not working...

General scenario:
Content type "Private download" with a file field that uploads to "private://download". Only authenticated users should be able to access the files from this field.
So the pfdp modules permissions are setup to only allow authenticated users access to the "private://download" directory.

Test 1:
Authenticated user has following relevant permissions:
- Document: Download any files
- View private files
This works, but this also gives the authenticated user access to ALL other private files.

So to prevent this, test 2:
Authenticated user has following relevant permissions:
- Document: Download any files
This does not work, because the core file module denies access based on the fact that the user does not have permission to the private files.

So to circumvent this, test 3:
Authenticated user has following relevant permissions:
- Document: Download any files
- View private files
Setup pfdp so the global private file directory is restricted to admin only and the downloads subdirectory is restricted to all authenticated users.
This does not work, authenticated user still has access to ALL private files.

Coops_’s picture

Coops_
Location London
commented
StatusFileSize
new access_denied-2918393-9.patch3.2 KB

This seems to be broken due to the way that Drupal Core handles file downloads. Basically, if _any_ module returns a permission denied response from hook_file_download, then access will be denied. See: https://www.drupal.org/project/drupal/issues/2461845

I've attached a patch which is a work around by simply bypassing any further checks in the hook and returning the file directly from the module if the module determines that permission should be granted. This seems to be the only way to bypass the default functionality of this hook.

Coops_’s picture

Coops_
Location London
commented
Status: Active » Needs review
zanonmark’s picture

zanonmark commented

@Coops_:
Exactly, that's what the specifications say to return: if any module fails, the chain will fail.
But thanks for your patch, I will merge it in a near future but also adding a directory-specific checkbox to let the administrator decide whether to be Drupal-compliant or to decide by himself what to do...

Thanks,
MZ

  • zanonmark committed 5a6fdaa on 8.x-2.x authored by Coops_ 
    Issue #2918393 by Coops_, zanonmark: Doesn't seem to work. Watchdog says...
zanonmark’s picture

zanonmark commented
Status: Needs review » Fixed

@Coops_: thanks for your patch, which I just committed making small changes (particularly an exit() statement to avoid duplication of HTTP transmissions, and minor issues).
I added a global option to the module, so this 'override mode' only works if enabled.

Could you please test if everything is ok now?

Thanks,
MZ

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

kvib’s picture

kvib commented

The option is great but in my case it seems to break the image style and render the original picture.