Hi,
I am using the taxonomy access control module to restrict access to nodes in Drupal 5.1 (DB=MySQL). I have created a vocabulary and a new role that can access content that is tagged properly (i.e. Private). This works great. The problem i am seeing is that my site supports file uploads. And, I want file attachments to have similarly restricted access. The way around the system I see is that if you have an URL to the file attachment you can get the file when not authenticated in that role. The easy way to reproduce this in IE is to copy short cut, log out of a site, paste in the shortcut and you get the file. Is there any way to restrict access such that the file attachments can't be accessed if the user can't access the node they are attached to?
Thank you for your help!
| Comment | File | Size | Author |
|---|---|---|---|
| #8 | Create Article _ Pershore Christadelphians.pdf | 708.68 KB | matt b |
| #8 | Drupal Icon Test _ Pershore Christadelphians.pdf | 528.72 KB | matt b |
| #8 | Access denied _ Pershore Christadelphians.pdf | 207.22 KB | matt b |
| #8 | druplicon.large_.pdf | 103.88 KB | matt b |
| #8 | Access rules for anonymous user _ Pershore Christadelphians.pdf | 750.75 KB | matt b |
Comments
Comment #1
k1rk commentedOne solution could be to turn your attachments into nodes themselves. Look for add-on modules that change the default way attachments are stored -- I think there's one that turns attachments into full-fledged nodes themselves. That may help you: since the attachment is now a node, it will get the same taxonomy access control as any other node.
Just a suggestion.
Comment #2
xjmYou need to use the private download method or one of the modules/configurations that replace it. (I recommend the latter since Core's private file handling has historically been dicey. In D5 I have used the Download module for this.)
Comment #3
matt bThis is an issue on Drupal 7. Shouldn't this module implement hook_file_download() and check the user access to the fields related to the node in question?
Comment #4
xjmCore's normal access control for files should handle this, because TAC uses the core node access system. If it does not, that is a core bug.
This isn't the same issue as in D5, though, so could you give me a set of reproduce inappropriate access to a file?
Comment #5
dhalbert commentedThis works for me in D7. I have nodes with a single-term vocabulary "Private", with one term "private". I set the permissions rules for anonymous user to Deny for that term, and for authenticated user to Allow View. These private nodes have File fields and Image fields (both set to use the private download method), and anonymous users are appropriately denied access to the URLs for the files and images. I just retested it logged out and logged in, and it works.
The only other access control module I have enabled is Field Permissions.
(There was a bug in core in Drupal 7.0 that allowed access to private files, but it's been fixed since 7.1/7.2.)
Comment #6
xjmThanks @dhalbert, that is a relief to hear. I was pretty worried because that would be a pretty severe core bug. :) Waiting to hear what might be the issue for @Matt B then.
Comment #7
xjmComment #8
matt bI have a node with a 3 term vocabulary and the access control set up so that only those with the term 'Public' are available to the public. Non-Public nodes result in access denied, but images attached to them in an image field are accessible by the direct URL. I've attached some screenshots!
I had a similar issue on OG, but moved away from OG because it seems overcomplicated for me - this module is much simpler and works (so good work guys!). But have a look at this issue here: http://drupal.org/node/985656
The patch implements hook_file_download (http://api.drupal.org/api/drupal/modules--system--system.api.php/functio...) and given that this seems to be a common issue on two access control modules I wonder if Core is expecting this hook to be implemented?
Comment #9
xjmIf a file is accessible by the direct URL, it sounds to me like the private file system is not configured properly. See http://drupal.org/documentation/modules/file.
Comment #10
matt bPrivate files are set up properly, but file attachments are still viewable when a node is unpublished. I think it may be a conflict with the media module.... let me get back to you....
Comment #11
dhalbert commentedAre you using Media field (which is deprecated) for the file and image fields?
I have the Media module installed but disabled. I enabled it and did not see an access problem. I do have File Entity installed and enabled.
Comment #12
matt bI have now rebuild my site from scratch using Taxonomy Access Control and not installing the media module. Access to private files (or lack of as described above) works perfectly. Thank you for this excellent module, and apologies for getting you worried! Matt