Hi,

I am using the taxonomy access control module to restrict access to nodes in Drupal 5.1 (DB=MySQL). I have created a vocabulary and a new role that can access content that is tagged properly (i.e. Private). This works great. The problem i am seeing is that my site supports file uploads. And, I want file attachments to have similarly restricted access. The way around the system I see is that if you have an URL to the file attachment you can get the file when not authenticated in that role. The easy way to reproduce this in IE is to copy short cut, log out of a site, paste in the shortcut and you get the file. Is there any way to restrict access such that the file attachments can't be accessed if the user can't access the node they are attached to?

Thank you for your help!

Comments

k1rk’s picture

One solution could be to turn your attachments into nodes themselves. Look for add-on modules that change the default way attachments are stored -- I think there's one that turns attachments into full-fledged nodes themselves. That may help you: since the attachment is now a node, it will get the same taxonomy access control as any other node.

Just a suggestion.

xjm’s picture

Status: Active » Closed (fixed)

You need to use the private download method or one of the modules/configurations that replace it. (I recommend the latter since Core's private file handling has historically been dicey. In D5 I have used the Download module for this.)

matt b’s picture

Version: 5.x-1.0 » 7.x-1.0-rc1
Status: Closed (fixed) » Active

This is an issue on Drupal 7. Shouldn't this module implement hook_file_download() and check the user access to the fields related to the node in question?

xjm’s picture

Core's normal access control for files should handle this, because TAC uses the core node access system. If it does not, that is a core bug.

This isn't the same issue as in D5, though, so could you give me a set of reproduce inappropriate access to a file?

dhalbert’s picture

This works for me in D7. I have nodes with a single-term vocabulary "Private", with one term "private". I set the permissions rules for anonymous user to Deny for that term, and for authenticated user to Allow View. These private nodes have File fields and Image fields (both set to use the private download method), and anonymous users are appropriately denied access to the URLs for the files and images. I just retested it logged out and logged in, and it works.

The only other access control module I have enabled is Field Permissions.

(There was a bug in core in Drupal 7.0 that allowed access to private files, but it's been fixed since 7.1/7.2.)

xjm’s picture

Thanks @dhalbert, that is a relief to hear. I was pretty worried because that would be a pretty severe core bug. :) Waiting to hear what might be the issue for @Matt B then.

xjm’s picture

Title: Taxonomy access control does not restrict access to file attachments » Access to file attachments
matt b’s picture

I have a node with a 3 term vocabulary and the access control set up so that only those with the term 'Public' are available to the public. Non-Public nodes result in access denied, but images attached to them in an image field are accessible by the direct URL. I've attached some screenshots!

I had a similar issue on OG, but moved away from OG because it seems overcomplicated for me - this module is much simpler and works (so good work guys!). But have a look at this issue here: http://drupal.org/node/985656

The patch implements hook_file_download (http://api.drupal.org/api/drupal/modules--system--system.api.php/functio...) and given that this seems to be a common issue on two access control modules I wonder if Core is expecting this hook to be implemented?

xjm’s picture

If a file is accessible by the direct URL, it sounds to me like the private file system is not configured properly. See http://drupal.org/documentation/modules/file.

matt b’s picture

Private files are set up properly, but file attachments are still viewable when a node is unpublished. I think it may be a conflict with the media module.... let me get back to you....

dhalbert’s picture

Are you using Media field (which is deprecated) for the file and image fields?

I have the Media module installed but disabled. I enabled it and did not see an access problem. I do have File Entity installed and enabled.

matt b’s picture

Status: Active » Closed (fixed)

I have now rebuild my site from scratch using Taxonomy Access Control and not installing the media module. Access to private files (or lack of as described above) works perfectly. Thank you for this excellent module, and apologies for getting you worried! Matt