Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I tried to create add a field with FileField Sources Plupload and FileField Sources modules and it works fine but the anonymous users can't use it because "plupload-handle-uploads" url returns with access denied.
Comment | File | Size | Author |
---|---|---|---|
#12 | 2138379-3.patch | 389 bytes | Christian Hanne |
#1 | 2138379-1.patch | 474 bytes | kalman.hosszu |
Comments
Comment #1
kalman.hosszu CreditAttribution: kalman.hosszu commentedThe problem is that plupload_upload_access() function returns with false, because drupal_valid_token() can't validate anonymous users. This function has flag argument to skip anonymous validate so I set it TRUE in the callback and it seems ok. Could you test is?
Comment #2
kalman.hosszu CreditAttribution: kalman.hosszu commentedComment #3
slashrsm CreditAttribution: slashrsm commentedWe start session in plupload_element_process(), which means that even anon users will get session. Token should work with every user that has a session, even anonymous. Are you using the latest stable release of this module?
Can you double check this? I remember testing with anon users a while ago and it worked as expected.
Comment #4
alforddm CreditAttribution: alforddm commentedI've got Plupload in a custom module and I'm having the same problem. Registered users can upload fine but when trying as anonymous I get this error
Failed to load resource: the server responded with a status of 403 (Forbidden) http://colorgenetics.info/plupload-handle-uploads?plupload_token=OsU5vm632DkConIfh6t2jiGbxoIDyjX2X4jOM9iXULk
Not sure if it makes a difference but I'm using nginx with Perusio's config I'm not using the dev version though I'm using 7.x-1.4
Comment #5
elioshI found this solution useful:
http://blog.rwky.net/2011/09/drupal-7-anonymous-sessions.html
I added a line in my form definition:
And now it works perfectly
Comment #6
amonteroHad an already working form with a mupload widget + plupload.
Made that form accessible anonymously and it didn't work (yellow exclamation sign).
Googled for it and patch #1 solved the issue without affecting authenticated users.
Comment #7
kalman.hosszu CreditAttribution: kalman.hosszu commented@amontero thanks for testing! @slashrsm could you commit this fix?
Comment #8
slashrsm CreditAttribution: slashrsm commentedAs already mentioned in #3 I'm against disabling token protection for anonymous users.
Plupload *should* work for anonymous users, but it will create a session for that. Please let me know if it doesn't.
Comment #9
k.dani CreditAttribution: k.dani commentedI also tried to make the plupload field useable by anonym users, but I also got the mentioned 'Forbidden (403)' response for every images.
I use the following modules and lib:
It works fine to authenticated users, but doesn't work for anonyms.
I can confirm that patch #1 fixes the problem.
Comment #10
Todd Zebert CreditAttribution: Todd Zebert commentedI have some potentially interesting data on this issue. I have an older inherited site, Drupal 7.2, but latest Plupload (1.6) and js lib (1.5.8).
I'm using Plupload with pure FAPI code much like in the docs https://www.drupal.org/node/1647890 - with no other modules. The Form, of course, works perfect for Admin user, but essentially not at all for anonymous users; although if you cleared cache the first anon upload or two might work - it was unpredictable though.
After reviewing this thread, and the other one, https://www.drupal.org/node/1426088 , and pretty much anything else I could Google, I was still stuck (and not wanting to just disable token protection.)
Long story short, after lots of other tries, I eventually:
I haven't tried it without the original patch in _preprocess_node() so I don't know if that's necessary. (At this point I've wasted too much time already)
I suppose that's still a long story, but I have a couple theories - but this is all in deep area of Drupal I'm not really familiar with:
Anyway, hope this helps someone. Thanks.
Comment #11
Christian Hanne CreditAttribution: Christian Hanne commentedI know this is a pretty old issue and might not be relevant for most users, but I figured a way to deal with this issue.
Drupal 7 stopped creating sessions for anonymous users a while ago, so it seems to keep regenerating the session_id() used for the tokens. So what you need to do is, force Drupal to create and store an anonymous session. Drupal will only store the session, if it contains values. So you need to store at least some random value in the $_SESSION array. I did this in a hook_init() function. Drupal now creates a database record for the anonymous user. This way anonymous uploads work and authorization through token works too.
Please note, that I don't know why Drupal stopped creating sessions for anon users. It might be because of performance issues or something else. So maybe, if we force the old behaviour we should either make a note to the readme file or have a checkbox for users, where they can allow anonymous uploads.
Comment #12
Christian Hanne CreditAttribution: Christian Hanne commentedHad a typo in the last patch...