My site now has links that can be used to download original images.

In Lightbox2 configuration I have unchecked permissions for anoymous users to download the original image.
In Brilliant Gallery permissions I have unchecked "access brilliant_gallery"

When I access the site without logging in, I can still download original images.

For an example see: http://dasselambassadors.com/node/16

Comments

dman’s picture

dman CreditAttribution: dman commented

It would appear that that permission restricts only access to the URL /brilliant_gallery
But using it in an embedded context (as node content) is not affected by that restriction.
So your node page is showing that content without reference to that permission.

You could restrict access to the node itself - which is probably expected, but it does seem that the permission labelled "access brilliant_gallery" would be expected to be more restrictive than it actually is.

Depends - what did you really expect to see when an anonymous user looked at that page? You want to let them see the page ... but not the content in it?
Probably should be locked down with node-level access.

(I know nothing about brilliant gallery - just about Drupal internals)

icesurfer’s picture

icesurfer CreditAttribution: icesurfer commented

I hacked the module to provide this functionality. It appears that I also need to turn caching off or the link/lack of link will be shown for the first user that opened the thumbnail.

First I added a new permission for this module: link to original image'
Around line 46:

function brilliant_gallery_perm() {
  return array('access brilliant_gallery', 'access administration pages','link to original image');
}

Around line 835:

        case 'lightbox':
          if (user_access('link to original image')) {
  		        $result .= ' rel="lightbox[' . $setname . '][<a href="' . $fullimgpath . '">' . $caption . '</a>]"';
  		        }
  		        else{
              $result .= ' rel="lightbox['. $setname .']"';
          }

in {mysite.com}/admin/user/permissions: Checked the roles that I wanted to have access to the link to download the original file

It appears to work. Anonymous users don't get a link and the users with access to protected content do get the link.
Is adding conditional display really this easy in Drupal or did I miss some security or use a 'bad' pattern?