diff options
author | David Rothstein <drothstein@gmail.com> | 2016-02-24 14:19:52 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2016-02-24 14:19:52 -0500 |
commit | 2f54b101bf722849e456d859876b27b90ad7e479 (patch) | |
tree | 9fdf1d34a03ec83b95a4fbcced22bb1b599f76d0 /modules/file/file.module | |
parent | aaf2d59820d7daf70c3acdde20c0e13d618a4e07 (diff) | |
download | brdo-2f54b101bf722849e456d859876b27b90ad7e479.tar.gz brdo-2f54b101bf722849e456d859876b27b90ad7e479.tar.bz2 |
Drupal 7.43
Diffstat (limited to 'modules/file/file.module')
-rw-r--r-- | modules/file/file.module | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/modules/file/file.module b/modules/file/file.module index fbf8b81ec..9e091af03 100644 --- a/modules/file/file.module +++ b/modules/file/file.module @@ -529,14 +529,19 @@ function file_managed_file_value(&$element, $input = FALSE, $form_state = NULL) // publicly accessible, with no download restrictions; for security // reasons all other schemes must go through the file_download_access() // check. - if (in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) || file_download_access($file->uri)) { - $fid = $file->fid; + if (!in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) && !file_download_access($file->uri)) { + $force_default = TRUE; } - // If the current user doesn't have access, don't let the file be - // changed. - else { + // Temporary files that belong to other users should never be allowed. + // Since file ownership can't be determined for anonymous users, they + // are not allowed to reuse temporary files at all. + elseif ($file->status != FILE_STATUS_PERMANENT && (!$GLOBALS['user']->uid || $file->uid != $GLOBALS['user']->uid)) { $force_default = TRUE; } + // If all checks pass, allow the file to be changed. + else { + $fid = $file->fid; + } } } } |