diff options
author | Dries Buytaert <dries@buytaert.net> | 2004-12-29 23:01:01 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2004-12-29 23:01:01 +0000 |
commit | 627699cc9e22daa7ad2df915f4149fa53344be15 (patch) | |
tree | 1498c4210f6087314d032e5fac500c6afa56d6f9 | |
parent | bc9aeff7dda9b2b93f63fd93befd499f4732cde6 (diff) | |
download | brdo-627699cc9e22daa7ad2df915f4149fa53344be15.tar.gz brdo-627699cc9e22daa7ad2df915f4149fa53344be15.tar.bz2 |
- Patch #14545 by nysus: don't grant access to files if the node is not accessible.
-rw-r--r-- | modules/upload.module | 2 | ||||
-rw-r--r-- | modules/upload/upload.module | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/modules/upload.module b/modules/upload.module index 16e0621af..a1d7e5e60 100644 --- a/modules/upload.module +++ b/modules/upload.module @@ -90,7 +90,7 @@ function upload_download() { function upload_file_download($file) { if (user_access('view uploaded files')) { $file = file_create_path($file); - $result = db_query("SELECT * from {files} WHERE filepath = '%s'", $file); + $result = db_query("SELECT * from {files} n " . node_access_join_sql() . "WHERE filepath = '%s' AND ". node_access_where_sql(), $file); if ($file = db_fetch_object($result)) { $name = mime_header_encode($file->filename); // Serve images and text inline for the browser to display rather than download. diff --git a/modules/upload/upload.module b/modules/upload/upload.module index 16e0621af..a1d7e5e60 100644 --- a/modules/upload/upload.module +++ b/modules/upload/upload.module @@ -90,7 +90,7 @@ function upload_download() { function upload_file_download($file) { if (user_access('view uploaded files')) { $file = file_create_path($file); - $result = db_query("SELECT * from {files} WHERE filepath = '%s'", $file); + $result = db_query("SELECT * from {files} n " . node_access_join_sql() . "WHERE filepath = '%s' AND ". node_access_where_sql(), $file); if ($file = db_fetch_object($result)) { $name = mime_header_encode($file->filename); // Serve images and text inline for the browser to display rather than download. |