diff options
| author | David Rothstein <drothstein@gmail.com> | 2015-03-31 00:11:39 -0400 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2015-03-31 00:11:39 -0400 |
| commit | f4e61ed0c0521455534a7a6e2fb7f8fedbd0e62f (patch) | |
| tree | d030dda834d492639ac5ef25a07ddbafddd9ac42 | |
| parent | 668db719eb6938d828cc6f066bedfacf620182d6 (diff) | |
| download | brdo-f4e61ed0c0521455534a7a6e2fb7f8fedbd0e62f.tar.gz brdo-f4e61ed0c0521455534a7a6e2fb7f8fedbd0e62f.tar.bz2 | |
Issue #2305017 by David_Rothstein, slashrsm, marcingy: Add a 'file_public_schema' variable to allow bypassing file download access checks in managed file upload fields
| -rw-r--r-- | CHANGELOG.txt | 3 | ||||
| -rw-r--r-- | modules/file/file.module | 12 |
2 files changed, 14 insertions, 1 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index dca1258df..504e61f6c 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,6 +1,9 @@ Drupal 7.36, xxxx-xx-xx (development version) ----------------------- +- Added a 'file_public_schema' variable which allows modules that define + publicly-accessible streams in hook_stream_wrappers() to bypass file download + access checks when processing managed file upload fields. - Fixed a bug that caused database query tags not to be added to search-related database queries under many circumstances, and which prevented the corresponding hook_query_TAG_alter() implementations from being called. diff --git a/modules/file/file.module b/modules/file/file.module index 1d5e5698f..ae452a683 100644 --- a/modules/file/file.module +++ b/modules/file/file.module @@ -519,7 +519,17 @@ function file_managed_file_value(&$element, $input = FALSE, $form_state = NULL) // public file) to confirm it exists and that the current user has access // to it. if (isset($input['fid']) && ($file = file_load($input['fid']))) { - if (file_uri_scheme($file->uri) == 'public' || file_download_access($file->uri)) { + // By default the public:// file scheme provided by Drupal core is the + // only one that allows files to be publicly accessible to everyone, so + // it is the only one for which the file access checks are bypassed. + // Other modules which provide publicly accessible streams of their own + // in hook_stream_wrappers() can add the corresponding scheme to the + // 'file_public_schema' variable to bypass file access checks for those + // as well. This should only be done for schemes that are completely + // publicly accessible, with no download restrictions; for security + // reasons all other schemes must go through the file_download_access() + // check. + if (in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) || file_download_access($file->uri)) { $fid = $file->fid; } // If the current user doesn't have access, don't let the file be |