Index: modules/upload/upload.module =================================================================== RCS file: /cvs/drupal/drupal/modules/upload/upload.module,v retrieving revision 1.227 diff -u -r1.227 upload.module --- modules/upload/upload.module 3 Feb 2009 18:55:32 -0000 1.227 +++ modules/upload/upload.module 9 Feb 2009 00:42:44 -0000 @@ -154,14 +154,16 @@ $filepath = file_create_path($filepath); $file = db_query("SELECT f.*, u.nid FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = :path", array(':path' => $filepath))->fetchObject(); - if ($file && user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) { - return array( - 'Content-Type: ' . $file->filemime, - 'Content-Length: ' . $file->filesize, - ); - } - else { - return -1; + if ($file) { + if (user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) { + return array( + 'Content-Type: ' . $file->filemime, + 'Content-Length: ' . $file->filesize, + ); + } + else { + return -1; + } } } Index: modules/upload/upload.test =================================================================== RCS file: /cvs/drupal/drupal/modules/upload/upload.test,v retrieving revision 1.12 diff -u -r1.12 upload.test --- modules/upload/upload.test 27 Jan 2009 00:22:27 -0000 1.12 +++ modules/upload/upload.test 9 Feb 2009 00:42:45 -0000 @@ -160,6 +160,65 @@ $this->assertRaw(t('The file is %filesize exceeding the maximum file size of %maxsize.', array('%filesize' => $filesize, '%maxsize' => $maxsize)), t('File size cited as problem with upload')); } + /** + * Check the file access when using private downloads. + */ + function testDownloadAccess() { + $files = $this->drupalGetTestFiles('text', 1024); // 1 Kb. + $file = current($files); + + $files = $this->drupalGetTestFiles('text', 1024); // 1 Kb. + $unmanaged_file = current($files); + + $files = $this->drupalGetTestFiles('image'); + $user_picture = current($files); + + $admin_user = $this->drupalCreateUser(array('administer site configuration', 'administer users', 'edit any page content', 'upload files')); + $access_user = $this->drupalCreateUser(array('access content', 'access user profiles', 'view uploaded files')); + $no_access_user = $this->drupalCreateUser(array('access content')); + + $this->drupalLogin($admin_user); + + // Enable private downloads. + variable_set('file_downloads', FILE_DOWNLOADS_PRIVATE); + + // Create the node with the uploaded file. + $node = $this->drupalCreateNode(); + $this->uploadFile($node, $file->filename, FALSE); + + // Upload a user picture for the admin. We use user pictures to check + // that upload.module does not block access to other managed files. + $edit = array('user_pictures' => '1'); + $this->drupalPost('admin/user/settings', $edit, t('Save configuration')); + $edit = array('files[picture_upload]' => $user_picture->filename); + $this->drupalPost('user/' . $admin_user->uid.'/edit', $edit, t('Save')); + + // Add an unmanaged file. + file_unmanaged_copy($unmanaged_file->filename); + + // Login as a user that can view the file. + $this->drupalLogin($access_user); + + // Check that this user can see the uploaded node file. + $this->drupalGet(file_create_url($file->basename)); + $this->assertResponse(200, t('User with permission can view file with private downloads.')); + + // Check that this user cannot an view an unmanaged file. + $this->drupalGet(file_create_url($unmanaged_file->basename)); + $this->assertResponse(200, t('User cannot view an unmanaged file with private downloads.')); + + // Check that this user can view a managed file not owned by upload. + $this->drupalGet(file_create_url('pictures/picture-' . $admin_user->uid . '.png')); + $this->assertResponse(200, t('User can view files not uploaded through upload module with private downloads.')); + + // Login as a user that cannot view the upload file. + $this->drupalLogin($no_access_user); + $this->drupalGet(file_create_url($file->basename)); + $this->assertResponse(403, t('User without permission cannot view uploaded files with private downloads.')); + + variable_set('file_downloads', FILE_DOWNLOADS_PUBLIC); + } + function setUploadSettings($settings, $rid = NULL) { $edit = array(); foreach ($settings as $key => $value) {