Hi there,

hook_file_download() is called on every private file download, and every module has the chance to block access to a file (by returning -1), grant access (by returning some headers) or not get involved (by returning nothing). If no modules return anything, the file is not served.

ckeditor_file_download() breaks this by always returning file headers if the file is present in the CKeditor upload directory, which is by default where all other files are uploaded. This means that CKeditor is granting access to all private files, unless another module expressly denies access. This seems to me to be undermining the way the private file system was designed.

Incidentally there is an easy workaround, which is to set the 'Location of files uploaded with CKEditor in the private folder:' to a subdirectory, but it's pretty difficult to narrow down why private file system isn't working as expected to this config setting.

Hope that's helpful.



mkesicki’s picture

Status:Active» Postponed
Anonymous’s picture


mkesicki’s picture

Status:Postponed» Needs work
mkesicki’s picture

Status:Needs work» Fixed

I commited changes to GIT. Please test latest DEV version. New option to global CKEditor profile added which give users more control about hook_download.

mkesicki’s picture

Status:Fixed» Closed (fixed)
mkesicki’s picture

Title:Ckeditor implementation of hook_file_download globally undermines private file download system» [D6] Ckeditor implementation of hook_file_download globally undermines private file download system