Regarding this message and a previous thread in attachement module support, I think we need a little more security to allow or not files to be downloaded.
As mentioned Claudio in it's mail, if a user know the link of the file (even if it's using private url), there's no perm check to allow or deny user to download the file.

So let's add a little security there :

/**
* Implementation of hook_menu().
*/

function filemanager_menu($may_cache) {
  $items = array();

  if ($may_cache) {
    $items[] = array('path' => 'filemanager/active', 'title' => t('file download'),
      'callback' => 'filemanager_download_active',
      'access' => user_access('download files'),
      'type' => MENU_CALLBACK);
    $items[] = array('path' => 'filemanager/working', 'title' => t('file download'),
      'callback' => 'filemanager_download_working',
      'access' => user_access('download files'),
      'type' => MENU_CALLBACK);
  }

  return $items;
}

/**
 * Implementation of hook_perm()
 */
 
function filemanager_perm() {
  return array('download files');
}

We just add a "download files" permission to check if user is allowed to download files.
I think that a "view attachement" may also be needed.

Comments

ccourtne’s picture

ccourtne commented
Status: Needs review » Closed (works as designed)

This does not belong in the filemanager module. Modules that use the filemanager API have the responsiblity to implement the filemanager_download hook to implement their own security. It would be very confusing to have to give people both privileges to the filemanager download as well as the module that uses filemanager. Filemanager by design has nothing to do with end user interaction it is purly an API for managing files for other modules. Think of it as a replacement for the file.inc api for module developers that need more control.

robertdouglass’s picture

robertdouglass commented

Craig,

So, just looking at the attachment module, that would look something like this?


/**
 * Implementation of hook_perm()
 */
function attachment_perm() {
  return array('add attachments', 'download attachments');
}

function attachment_filemanager_download($file) {
  if ($file->area == 'attachments' && user_access('download attachments')) {
    return TRUE;
  }
}
robertdouglass’s picture

robertdouglass commented

Seems I wasn't looking at the most recent version. I see you've now done the far better thing, and made the download dependent on the node access permissions. These two modules so beat the upload module. I would really like to see upload module yanked from core and this and attachement added instead. Great work, Craig.

khanshakeeb’s picture

khanshakeeb commented

hi i want to know how to restrict login users to download file by hitting the url directly

cscsteve’s picture

cscsteve commented

Wow, you found an old one!

Looks like the original maintainer determined that this feature didn't belong in Filemanager (the "by design" status on this issue). You can give a few of the modifications mentioned in this thread a try, but I don't advocate them one way or another.

IIRC: Attachment won't let a user who doesn't have access to the node that a file is attached to download that file even using a direct URL if "Force Private" is checked. I may be wrong about that, it has been a while since I actually looked at that code.

Note of course that this stuff has no bearing on how the core Upload module works; in fact Filemanager is incompatible with the core module and only one or the other must be enabled.

- Steve