2 files changed, 22 insertions, 16 deletions

diff --git a/modules/upload.module b/modules/upload.module
index e64f2a26d..82bf0c83c 100644
--- a/modules/upload.module
+++ b/modules/upload.module
@@ -131,15 +131,18 @@ function upload_download() {
 function upload_file_download($file) {
   if (user_access('view uploaded files')) {
     $file = file_create_path($file);
-    $result = db_query(db_rewrite_sql("SELECT f.nid, f.* FROM {files} f WHERE filepath = '%s'", 'f'), $file);
+    $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
     if ($file = db_fetch_object($result)) {
-      $name = mime_header_encode($file->filename);
-      $type = mime_header_encode($file->filemime);
-      // Serve images and text inline for the browser to display rather than download.
-      $disposition = ereg('^(text/|image/)', $file->filemime) ? 'inline' : 'attachment';
-      return array('Content-Type: '. $type .'; name='. $name,
-                   'Content-Length: '. $file->filesize,
-                   'Content-Disposition: '. $disposition .'; filename='. $name);
+      $node = node_load($file->nid);
+      if (node_access('view', $node)) {
+        $name = mime_header_encode($file->filename);
+        $type = mime_header_encode($file->filemime);
+        // Serve images and text inline for the browser to display rather than download.
+        $disposition = ereg('^(text/|image/)', $file->filemime) ? 'inline' : 'attachment';
+        return array('Content-Type: '. $type .'; name='. $name,
+                     'Content-Length: '. $file->filesize,
+                     'Content-Disposition: '. $disposition .'; filename='. $name);
+      }
     }
   }
 }
diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index e64f2a26d..82bf0c83c 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -131,15 +131,18 @@ function upload_download() {
 function upload_file_download($file) {
   if (user_access('view uploaded files')) {
     $file = file_create_path($file);
-    $result = db_query(db_rewrite_sql("SELECT f.nid, f.* FROM {files} f WHERE filepath = '%s'", 'f'), $file);
+    $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
     if ($file = db_fetch_object($result)) {
-      $name = mime_header_encode($file->filename);
-      $type = mime_header_encode($file->filemime);
-      // Serve images and text inline for the browser to display rather than download.
-      $disposition = ereg('^(text/|image/)', $file->filemime) ? 'inline' : 'attachment';
-      return array('Content-Type: '. $type .'; name='. $name,
-                   'Content-Length: '. $file->filesize,
-                   'Content-Disposition: '. $disposition .'; filename='. $name);
+      $node = node_load($file->nid);
+      if (node_access('view', $node)) {
+        $name = mime_header_encode($file->filename);
+        $type = mime_header_encode($file->filemime);
+        // Serve images and text inline for the browser to display rather than download.
+        $disposition = ereg('^(text/|image/)', $file->filemime) ? 'inline' : 'attachment';
+        return array('Content-Type: '. $type .'; name='. $name,
+                     'Content-Length: '. $file->filesize,
+                     'Content-Disposition: '. $disposition .'; filename='. $name);
+      }
     }
   }
 }