Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Files within sites/default/files/private that are part of unpublished nodes are unavailable to Users with Roles that should have access (e.g., Access Denied.) Publishing the nodes makes the files available to the proper Users. Any thoughts on what it would take to patch this?
As a sidenote, I am using the View Unpublished module to allow non-Admin and non-Owner roles access to unpublished nodes. I've verified that non-Admin and non-Owner roles can access files that are uploaded into public directories even if the node is unpublished. Also, I am using the CCK FileField module to handle upload and download.
Comments
Comment #1
johnhanley CreditAttribution: johnhanley commentedYeah, I understand what you mean. Thanks for bringing this issue to my attention.
It's funny, I didn't anticipate this scenario because originally the private files were not intended to be attachments or assets of a node. Now, with CCK FileField, controlling access on a per node basis needs to be addressed.
Currently access is only controlled with the "access private download directory" permission. However, it would be possible to further control access with hook_file_download(). This hook is already being used to define HTTP headers. Some additional logic could be added to the function to determine if the file is associated with a node and if that node is published/unpublished.
I'm perfectly willing to make this addition, but before proceeding can you think of any other conditions or attributes that should be checked before allowing/denying access to a file? For example you mentioned the View Unpublished module. I'm not familiar with the inner-workings of that module. If a user is allowed to view unpublished nodes, how will accessing Private Download files be dealt with?
Let me know what you think.
Thanks,
John
Comment #2
kbk CreditAttribution: kbk commentedSo this issue has forced me to reassess my approach and, using Content Access, I can now Publish the node but limit access sufficiently which allows me to use PD without any patches. I mention this in case you'd rather postpone (or won't fix) this issue to see if it will help more than 1 person.
In the meantime...
Unfortunately, all I can add is that by design, Drupal limits access to unpublished nodes to the Author and Admin. PD works as expected in this sense because Authors and Admins can still access files stored in the private directory via CCK FileField regardless of publication status. Problems arise if you are using View Unpublished to allow non-Author, non-Admin roles access to unpublished nodes (i.e., they cannot download files stored in the Private directory.)
Also, I've contacted the View Unpublished maintainer with a request for insight into this thread. Honestly, there is a small possibility that this feature request should be made against that module!
Comment #3
johnhanley CreditAttribution: johnhanley commentedAfter giving this matter some additional thought, I'm not inclined to support something that circumvents default security.
I'm going to postpone this request, but am open to further discussion and exploration.
Comment #4
johnhanley CreditAttribution: johnhanley commentedComment #5
transformative CreditAttribution: transformative commentedI don't know whether it would be of any use, but the Module Grants module fixes some problems with the way unpublished nodes behave.
Even if it's not directly useful, that module could contain ideas for future development. I haven't tested it with Private Download, but thought I'd mention it when I stumbled across this post.
Thanks for this module!