This module puts access restrictions on the node which links to the file, but not on the file itself. If a user without the required role was given the file URL, or was to guess the path of the file URL, they can still download the file, even if delivered via the private files directory.
For instance:
The node created which links to the file download would be www.example.com/files/examplepdf (restricted to a role), and links to www.example.com/system/files/example.pdf (available to download from any authenticated or unauthenticated user). This path could be guessed from the node path, which I suppose can be resolved with pathauto patterns, but more importantly, an unauthenticated user could be given the URL directly to the file, and have no restrictions applied.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | file_entity_perms_patch.patch | 992 bytes | sean_e_dietrich |
Comments
Comment #1
sean_e_dietrichI'm not sure if this helps. I know this ticket was opened up about 3 years ago but here is the patch I applied to get this working.
Comment #2
sean_e_dietrich