image module breaks anonymous access to uploaded files
tmus - October 27, 2007 - 05:10
| Project: | Image |
| Version: | 5.x-1.x-dev |
| Component: | image.module |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed |
Description
After updating the image module to version 5.x-1.6, I can no longer view non-image files uploaded to nodes via the upload module.
To view attached .pdf files for example, I need to add the "view original images" right to anonymous users, or I'll get an access denied page.
#1
I have the same problem on several PostgreSQL based sites. There's a warning message:
The line is in function image_file_download($filename):
if (user_access('view original images') || in_array($filepath, $images))$images doesn't seem to be an array.
#2
The problem was introduced in the latest patch for http://drupal.org/node/170659
#3
The attached patch fixes the problem. I don't know if $node->images is set at all in the function maybe someone with more knowledge of the image module should look at the function again.
#4
oh, maybe we should be checking node type...
#5
Is there no final fix for this issue? Anonymous users still cannot view the thumbnail and preview. :(
#6
radj, rather thank complaining about a final fix please review the posted patch.
#7
I used the code in this patch and it fixed the problem for me.
#8
+1 for me too. The patch above works as expected and quick visual review didn't raise any issues.
#9
+1 again. Patch still applies cleanly to 1.x-dev, and works.
@drewish - #4: does checking node type work? I got the error while trying to download a non-image attachment, for a node whose type does support uploading images, but which has no images attached.
(I don't know enough Drupal/PHP 'coding standard' to set the patch to 'ready to be committed'... I don't know if $node->images should return an empty array in that case?)
#10
give this a try...
#11
whoops, ignore that last one... wrong variable name.
#12
Patch works - and code reads like it's a better solution, yes.
#13
great, committed to HEAD.
#14
Automatically closed -- issue fixed for two weeks with no activity.
#15
*weeps*
The patch you rolled does not actually solve the problem - unlike jandd's patch which does.
And apparently I didn't test correctly. Sorry :-/
That is: if the node has no image attached, '-1' is still returned. No good.
This contains a patch to the latest (19 dec) 1.x-dev.
I'm still a PHP / Drupal Coding nitwit, so please check the first line I added ('if ($node) {') for sanity. Thanks.
#16
Looks good to me. Committed to DRUPAL-5 and DRUPAL-5--2.
#17
Automatically closed -- issue fixed for two weeks with no activity.