IMCE breaks private file system
drpratten - January 5, 2007 - 12:12
| Project: | IMCE |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Description
imce.module does not provide an access permission to restrict file download by role.
By way of contrast, upload.module provides "view uploaded files" which in combination with the private file system will restrict access to uploaded files by role.
However, once imce is enabled - all requests for private files will always be provided by drupal. This defeats the idea of a private file system.
I request addition of a "view uploaded files" permission to the imce module, and patch to imce_file_download to return -1 if user_access('view uploaded file') fails.
Thanks
David
#1
The core team may fix this bug once for the whole of Drupal. See http://drupal.org/node/106565
#2
A private files permission specific to IMCE is a good idea. The attached patch proposes usage of a new "view imce files" permission.
#3
does this patch work?
is this something I can install now?
this might be exactly what I am looking for
#4
this is outdated. there are only a few changes to be done to get the mentioned functionality. you may update the patch for the current release and use it.
#5
Is this still an issue in the latest release? (Should this one be closed?)
#6
This is still an issue even for the Drupal 6 version of IMCE! Guests can access "private" (off site) files even though they don't have any permission to the directory.
#7
Actually pretty easy to check in Drupal 6, in the function imce_file_download($file) you have to check if the current user have access to the file being viewed!
#8
Those of you that are looking for a Drupal 6 fix: #266549: directory protection from leeching