I created a filenode with a file bird.jpg. The filenode itself belongs to a group and therefore anonymous users can not access it. However, the file attached to the filenode appears to be downloadable by any user, including anomyous users who do NOT have the download any filenode permission. My site is set for "Private" access also.

My question is: shouldn't file access permissions be limited to those of the node? If so, what should I do here? If not, how do we make that happen as I believe this would be a critical component of filenode?

Comments

tommyk’s picture

There is a big problem with 6.x-1.4 that had been working properly in the previous version. The filenode file seems to redirect directly to the path of the file and displays the path in the address bar. Previously, in version 6.x-1.3, the address bar only displayed the path of the filenode or the filenode file, e.g., node/[nid] or node/[nid]/file.

I have reverted to version 6.x-1.3 for my own use right now. (See my discussion with yookoala at http://drupal.org/node/467520.)

What I've found now with 6.x-1.3 is that file access permissions seem to work, but not in the expected way.

Users cannot access the filenodes or filenode files that they do not have permission for by going to their URLs or their aliases. (If someone guesses the true path to the file in /files/ they will gain access, though.)

The problem is that a user without permission is not shown the proper 403 error when trying to access a restricted filenode or filenode file. Instead, the browser seems to attempt to load the URL, but when it finishes, the screen that was originally there remains there with no change.

This behavior really should be corrected. I'll help however I can, but I don't know PHP or the inner workings of Drupal yet.

(btw, my node permissions are set using the Content Access module if that information is needed)

somebodysysop’s picture

Status: Active » Needs review

The filenode.module needs to take advantage of hook_file_download to not allow access to any filenode file unless the user has permission. I created this code in my environment:

/**
* Implementation of hook_file_download()
*/
function scbbs_file_download($file) {

  // First, check filenodes
  $result = db_query("SELECT a.nid, f.* FROM {filenode} a INNER JOIN {files} f ON a.fid = f.fid WHERE f.filepath = '%s'", $file);
  if ($file = db_fetch_object($result)) {
    // Check node access
    if ((db_result(db_query(db_rewrite_sql("SELECT n.nid FROM {node} n WHERE n.nid = %d"), $file->nid)))) {    
      return array('Content-type:' . $file->filemime);
    } else {
      return -1;
    }
  }

}

It simply looks to see if the file displayed is a filenode, and if it is, enforces acess based upon those of the node it belongs to.

This should really be a part of the filenode module itself.