We just can't seem to get this right. I've opened a new issue separate from #247095: Upload.module hard-codes 'view uploaded files' permission check, since that one has had its changes applied back to Drupal 6 and this problem is specific to Drupal 7's upload.module.

Currently we have a single IF statement to check if the $file was found. If the file is not found in the upload database table, upload module denies access to the file (essentially upload.module is again blocking access to all files it doesn't control).

This patch makes it so that upload.module only checks permissions on files it owns.

CommentFileSizeAuthor
upload_file_download.patch1.12 KBquicksketch

Comments

quicksketch’s picture

quicksketch
he/him
commented

Upload module was working properly for only a short time. This bug was re-introduced in #352236: Finish moving upload.module to DB:TNG.

quicksketch’s picture

quicksketch
he/him
commented
Title: upload_file_download() Blocks Acess to Files Upload Doesn't Own » upload_file_download() Blocks Access to Files Upload Doesn't Own
drewish’s picture

drewish commented

good call, now that user.module has user pictures as files it should be easy to add a user picture and then try a private download of that and make sure upload module aint up in it's business.

quicksketch’s picture

quicksketch
he/him
commented
Status: Needs review » Closed (duplicate)

Sorry I didn't realize you'd uploaded basically an identical patch in #247095: Upload.module hard-codes 'view uploaded files' permission check. I'll mark this as a duplicate and we can review in the other thread (which now has a patch for both fixing this problem and adding tests).