From 83b80acad8431fcd56e9a331ba06c41edee48c91 Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Wed, 16 Jul 2014 16:03:02 -0400
Subject: Drupal 7.29

---
 modules/file/file.module     |  5 +++--
 modules/file/tests/file.test | 13 +++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

(limited to 'modules/file')

diff --git a/modules/file/file.module b/modules/file/file.module
index 5a635fd75..ed165368b 100644
--- a/modules/file/file.module
+++ b/modules/file/file.module
@@ -510,8 +510,9 @@ function file_managed_file_value(&$element, $input = FALSE, $form_state = NULL)
           $callback($element, $input, $form_state);
         }
       }
-      // Load file if the FID has changed to confirm it exists.
-      if (isset($input['fid']) && $file = file_load($input['fid'])) {
+      // Load file and check access if the FID has changed, to confirm it
+      // exists and that the current user has access to it.
+      if (isset($input['fid']) && ($file = file_load($input['fid'])) && file_download_access($file->uri)) {
         $fid = $file->fid;
       }
     }
diff --git a/modules/file/tests/file.test b/modules/file/tests/file.test
index 69e711a36..4d53d747f 100644
--- a/modules/file/tests/file.test
+++ b/modules/file/tests/file.test
@@ -1167,5 +1167,18 @@ class FilePrivateTestCase extends FileFieldTestCase {
     // Ensure the file cannot be downloaded.
     $this->drupalGet(file_create_url($node_file->uri));
     $this->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission.');
+
+    // Attempt to reuse the existing file when creating a new node, and confirm
+    // that access is still denied.
+    $edit = array();
+    $edit['title'] = $this->randomName(8);
+    $edit[$field_name . '[' . LANGUAGE_NONE . '][0][fid]'] = $node_file->fid;
+    $this->drupalPost('node/add/page', $edit, t('Save'));
+    $new_node = $this->drupalGetNodeByTitle($edit['title']);
+    $this->assertTrue(!empty($new_node), 'Node was created.');
+    $this->assertUrl('node/' . $new_node->nid);
+    $this->assertNoRaw($node_file->filename, 'File without view field access permission does not appear after attempting to attach it to a new node.');
+    $this->drupalGet(file_create_url($node_file->uri));
+    $this->assertResponse(403, 'Confirmed that access is denied for the file without view field access permission after attempting to attach it to a new node.');
   }
 }
-- 
cgit v1.2.3