diff options
| author | David Rothstein <drothstein@gmail.com> | 2014-07-16 16:03:02 -0400 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2014-07-16 16:03:02 -0400 |
| commit | 83b80acad8431fcd56e9a331ba06c41edee48c91 (patch) | |
| tree | 14e68546a7d96f64ea9e34196f10404eea093922 /modules/file | |
| parent | 1769d1cca92e206510528c324552797e83a1fc7c (diff) | |
| download | brdo-83b80acad8431fcd56e9a331ba06c41edee48c91.tar.gz brdo-83b80acad8431fcd56e9a331ba06c41edee48c91.tar.bz2 | |
Drupal 7.29
Diffstat (limited to 'modules/file')
| -rw-r--r-- | modules/file/file.module | 5 | ||||
| -rw-r--r-- | modules/file/tests/file.test | 13 |
2 files changed, 16 insertions, 2 deletions
diff --git a/modules/file/file.module b/modules/file/file.module index 5a635fd75..ed165368b 100644 --- a/modules/file/file.module +++ b/modules/file/file.module @@ -510,8 +510,9 @@ function file_managed_file_value(&$element, $input = FALSE, $form_state = NULL) $callback($element, $input, $form_state); } } - // Load file if the FID has changed to confirm it exists. - if (isset($input['fid']) && $file = file_load($input['fid'])) { + // Load file and check access if the FID has changed, to confirm it + // exists and that the current user has access to it. + if (isset($input['fid']) && ($file = file_load($input['fid'])) && file_download_access($file->uri)) { $fid = $file->fid; } } diff --git a/modules/file/tests/file.test b/modules/file/tests/file.test index 69e711a36..4d53d747f 100644 --- a/modules/file/tests/file.test +++ b/modules/file/tests/file.test @@ -1167,5 +1167,18 @@ class FilePrivateTestCase extends FileFieldTestCase { // Ensure the file cannot be downloaded. $this->drupalGet(file_create_url($node_file->uri)); $this->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission.'); + + // Attempt to reuse the existing file when creating a new node, and confirm + // that access is still denied. + $edit = array(); + $edit['title'] = $this->randomName(8); + $edit[$field_name . '[' . LANGUAGE_NONE . '][0][fid]'] = $node_file->fid; + $this->drupalPost('node/add/page', $edit, t('Save')); + $new_node = $this->drupalGetNodeByTitle($edit['title']); + $this->assertTrue(!empty($new_node), 'Node was created.'); + $this->assertUrl('node/' . $new_node->nid); + $this->assertNoRaw($node_file->filename, 'File without view field access permission does not appear after attempting to attach it to a new node.'); + $this->drupalGet(file_create_url($node_file->uri)); + $this->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission after attempting to attach it to a new node.'); } } |