View Files Attached to Unpublished Nodes

Hmm, excellent question. I will look into this early next week -- I would start digging around in file attach permissions if you want to get started sooner rather than later! :)

any luck?

I tracked this problem down to the module weight.

Because this module runs before other modules when it does it's hook_nodeapi and redirects it means other modules hook_nodeapis aren't run (for example upload_nodeapi that handles file attachments).

This is an issue because this module also has to run before other modules so that it can take over the menu permissions handling.

This patch addresses this issue by moving the hook_nodeapi out into it's own module which has a weight greater then other modules.

It isn't the greatest looking solution but when you're dealing with module weights and menu altering there isn't much you can do about that.

If this is an issue with the D6 module i'm sure this is easily portable.

This patch also has some instruction added to the readme.

This patch has the same functionality as the patch in #4
but it will apply cleanly if you have already applied the patch in #500432: Allow access to view unpublished revisions (and revision tab)

Hi,

I could need it in a Drupal 6 version with File Framework module installed. The problem I have is described in #773498: HTTP 403 Error when trying to access unpublished nodes without 'administer nodes' permission What do you think - could it be possible to solve my problem with a Drupal 6 version of the patch provided above?

Thanks for support
Filburt

I have not used the D6 version of this module so I have no idea what has changed between versions.

I have also not used the file framework module before so I can't comment on that either.

If this is still a problem on D6 then this should be able to be ported to 6.
From memory the problem was the module weight interfering.
You needed different weights for different parts of this module, which is why the patch adds a sub module with different weight.

I don't use this module at all anymore as the site it was on had lots of other revision moderation and other modules that this wouldn't work properly with so I don't have the time/resources to work on this anymore.

Thanks for the fast reply. I found a solution using the Workflow module to manage the handling of unpublished file attachments.

I described it here: #773498: HTTP 403 Error when trying to access unpublished nodes without 'administer nodes' permission

Greetings
Filburt

what if i just don't wanna use workflow module? after all workflow is a relatively 'big' module, it may bring some unpredicted affections on the existing functions.

i have debugged this problem.
function 'file_download' in the file 'includes/file.inc' implements the file downloading logic.

it calls function module_invoke_all to invoke the module which implements hook_file_download, if the returning array contains '-1', then it complains 'access denied' indicating that current user has not the rights to download file attachments.

eventually i tracked drupal core optional module 'upload', the hook is 'upload_file_download' as follows:

function upload_file_download($filepath) {
  $filepath = file_create_path($filepath);
  $result = db_query("SELECT f.*, u.nid FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $filepath);
  if ($file = db_fetch_object($result)) {
  
    if (user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) {
      return array(
        'Content-Type: ' . $file->filemime,
        'Content-Length: ' . $file->filesize,
      );
    }
    else {
      return -1;
    }
  }
}

then i changed this clause:

if (user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) 

to

if (user_access('view uploaded files') && ($node = node_load($file->nid)) ) {

just eliminating 'node_access('view',$node)' u could pass the permission check and also view/download file attachments to unpublished nodes. i have not found any side-effects in my site until now.

maybe i should explain a bit more why 'node_access('view',$node)' should be eliminated in order to meet the goal, the reason lies that 'node_access('view',$node)' would always return false if its argument '$node' is an unpublished node. i copy 'node_access' function as follows:

function node_access($op, $node, $account = NULL) {
    ...                  // other codes, commented by me.

  // If the module did not override the access rights, use those set in the
  // node_access table.
  if ($op != 'create' && $node->nid && $node->status) {
    $grants = array();
    foreach (node_access_grants($op, $account) as $realm => $gids) {
      foreach ($gids as $gid) {
        $grants[] = "(gid = $gid AND realm = '$realm')";
      }
    }

    $grants_sql = '';
    if (count($grants)) {
      $grants_sql = 'AND ('. implode(' OR ', $grants) .')';
    }

    $sql = "SELECT 1 FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql AND grant_$op >= 1";
    $result = db_query_range($sql, $node->nid, 0, 1);
    return (bool) db_result($result);
  }

  // Let authors view their own nodes.
  if ($op == 'view' && $account->uid == $node->uid && $account->uid != 0) {
    return TRUE;
  }

  return FALSE;
}

you see that as for unpublished node whose $node->status is 0, it does not satisfy 'if ($op != 'create' && $node->nid && $node->status) {' , so we come to 'if ($op == 'view' && $account->uid == $node->uid && $account->uid != 0) {', if the author of unpublished node is not current user, it would also not satisfy '$account->uid == $node->uid ' .

at last function 'node_access' returns false.

so i wanna say it's something concerning drupal core functions. hoping posting this is useful for somebody.