I have a problem with the image module not serving private files. Frankly, I can't find the root cause and the problem may well lay outside the module. So, I am hoping someone might advise me how to pinpoint the cause of this issue.

Details as follows.

Drupal Core Version: 7.12
Image module version = 7.7 (2011-07-28)

Here is a typical image request:
http://example.com/system/files/styles/thumbnail/private/image.png

The problem becomes noticeable within this function located within image.module.

function image_file_download($uri) {
  $path = file_uri_target($uri);

  // Private file access for image style derivatives.
  if (strpos($path, 'styles/') === 0) {
  ...
}

The problem is the URI passed to the function looks like this:
private://image.png

Because 'styles' doesn't exist in the path, the if statement doesn't get executed the function doesn't return any values and ultimately, Drupal responds with "access denied" which is a bit misleading as:
-The image in question *does* exist in the root of the private directory
-The file system does give Apache access to the file
-The user in my tests is administrator (uid=1) who does have access to the image.

As a *temporary* measure, I got images to display by replacing this line:
if (in_array(-1, $headers) || empty($headers)) {

with this:
if (in_array(-1, $headers)) {

In an attempt to reproduce the problem, I copied all my installing modules to a fresh instance of Drupal. However, the problem doesn't occur there. It's nothing to do with the theme either.

Being a Java programmer, I attempted getting a stack trace. But, that didn't help me. Although, I did wonder what an image request has to do with menu.inc.

0 (Array, 4 elements)
- file (String, 92 characters ) C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\bbps\modules\image\image.module
- line (Integer) 796
- function (String, 20 characters ) drupal_access_denied | (Callback) drupal_access_denied();
- args (Array, 0 elements)
1 (Array, 2 elements)
- function (String, 19 characters ) image_style_deliver | (Callback) image_style_deliver();
- args (Array, 3 elements)
- - 0 (Array, 5 elements)
- - 1 (String, 7 characters ) private
- - 2 (String, 9 characters ) video.png
2 (Array, 4 elements)
- file (String, 83 characters ) C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\bbps\includes\menu.inc
- line (Integer) 517
- function (String, 20 characters ) call_user_func_array | (Callback) call_user_func_array();
- args (Array, 2 elements)
3 (Array, 4 elements)
- file (String, 75 characters ) C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\bbps\index.php
- line (Integer) 21
- function (String, 27 characters ) menu_execute_active_handler | (Callback) menu_execute_active_handler();
- args (Array, 0 elements)

If you managed to get this far, thank's for reading :-)

Comments

dpovshed’s picture

dpovshed commented

Hi Brett,

first thing I'd like to ask in such cases - have you tried to use recent Drupal.

In an attempt to reproduce the problem, I copied all my installing modules to a fresh instance of Drupal.
here do you mean the same 7.12?

pjc’s picture

pjc commented
Version: 7.12 » 7.19

I've been sparring with the same issue for nearly a week now. Image styles are created with no problem, and their respective sample.png files are all placed in the right places. The problem, as you've already noted, is that I'm getting an 'Access Denied' response when attempting to view the sample image -- even as root. I'm almost positive its a configuration issue with nginx + php-fpm + nginx_accel_redirect, but as of yet, have not been able to figure it out. I have also noticed that when I rebuild permissions Drupal alters my sites/default directory permissions... could be the culprit I suppose. Would be interested in hearing other people's solutions!

KitsuneSolar’s picture

KitsuneSolar commented

Yes! I acknowledge the problem!
Clean 7.18 - no problem.
Clean 7.19 - there is a problem!

aquariumtap’s picture

aquariumtap commented

The same issue is happening to me. After an upgrade from 7.18 to 7.19, a lot of private images return with an access denied.

The function file_download() checks for modules implementing hook_file_download():

foreach (module_implements('file_download') as $module) { ...

In my case, the implementing module for the file I want is user.module (it's a profile picture). In 7.18, this returns with headers:

 if (strpos(file_uri_target($uri), variable_get('user_picture_path', 'pictures') . '/picture-') === 0) {
    $info = image_get_info($uri);
    return array('Content-Type' => $info['mime_type']);
  }

In 7.19+, the same thing returns false. It seems in 7.19, no $uri that begins with pictures/picture- is passed; only derivative images such as styles/some_style/private....

No other modules implementing hook_file_download() (eg image module) returns headers, so drupal_access_denied() is called.

deanflory’s picture

deanflory commented

I've had the same thing happen over the last few months/versions of Drupal and/or module updates. My user pictures aren't showing up properly anymore but they were before. When I visit the address of the image in question I get an Access Denied page. Just starting to look into this. Other images are working fine and they're all in the private folder.

liquidcms’s picture

liquidcms commented

D7.20 messe dup image handling. try adding this to your settings.php

    // D7.20 image screwup
  $conf['image_allow_insecure_derivatives'] = TRUE;
jelo’s picture

jelo commented

Are you using Fast 404?
https://www.drupal.org/node/2455057

deanflory’s picture

deanflory commented

I do not have Fast 404 enabled on either site and I've had the "allow insecure derivatives" setting in my settings.php file since it became necessary. Still no image previews on image styles (though I can click the "See full size" link and that works). Annoying.

Version: 7.19 » 7.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.

Status: Active » Closed (outdated)

Automatically closed because Drupal 7 security and bugfix support has ended as of 5 January 2025. If the issue verifiably applies to later versions, please reopen with details and update the version.