I understand that you can use node security to restrict access to the Filebrowers directory listing, but that does NOT stop someone from downloading the files, even if they do not have permission to see the Filebrowser.

1. If Private Downloads is not checked, then someone can simply type the URL path to get the file they want, if they know where the file is being stored. The workaround is to use Private Downloads and put a very restrictive .htaccess file in the location of the files that are being viewed by filebrowser (this may have been mentioned in another post).

2. If Private Downloads is checked then the file passes through PHP but currently you can still download any file if you know the path, even if you don't have permission to view the filebrowser node. I added the following code in the filebrowser_init() function to fix that:

if (is_file($file)) {

    // -- start of bug fix --
    // Check to see if we have permission to download the file
    <b>if (node_access('view', $node) == TRUE) {</b>
    // --end of bug fix

        // Check that the file is readable.
        if (is_readable($file)) {
...etc

and of course, add the appropriate closing bracket.

Comments

Yoran’s picture

Yoran commented

For the first point there is nothing to do. When using "public" mode, everyone should know that download security is all in Apache realm.

For the second one, I enforced the security with using a new perm ('download files') that is used for both "download folder as an archive" and individual file downloads.

This will be soon in CVS.

Yoran’s picture

Yoran commented
Assigned: Unassigned » Yoran
Yoran’s picture

Yoran commented
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.