Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
function _private_upload_create_url uses variable_set to momentarily change the file system to 'private' and then back to 'public'. In theory this should be harmless, but we've seen our production site get switched to 'private' filesystem twice now, presumably if something goes wrong in that function. This causes all kinds of problems and is not immediately detected.
This patch uses the variable storage global $conf to temporarily change the setting without actually saving it to the database. This approach seems less dangerous and better performance anyway.
Comment | File | Size | Author |
---|---|---|---|
#5 | private.patch | 1.32 KB | Jody Lynn |
private_upload_file_downloads.patch | 1.48 KB | Jody Lynn |
Comments
Comment #1
Jody LynnComment #2
jweowu CreditAttribution: jweowu commentedUsing variable_set() is definitely not harmless. It would leave you open to race conditions when multiple requests execute that code simultaneously.
Assuming that the sequence is:
a) store the current setting
b) over-ride with 'private'
c) restore original setting
Then the following could happen:
1. method is 'public'
2. request 1 reads 'public'
3. request 1 writes 'private'
4. request 2 reads 'private'
5. request 2 writes 'private'
6. request 1 restores 'public'
7. request 2 restores 'private'
8. method remains 'private'
Using the global $conf array is correct. It affects the values that variable_get() returns, without writing that value to the database, so it only affects the current request.
Comment #3
Jody LynnThanks for the clearer explanation. Setting to 'reviewed'.
Comment #4
jweowu CreditAttribution: jweowu commentedYou might also want to modify the 'HACK' comment accordingly.
Comment #5
Jody LynnComment #6
alexharries CreditAttribution: alexharries commentedSeconded - this has broken our site three times today!! :o)
Comment #7
Jody LynnComment #8
heavy_engineer CreditAttribution: heavy_engineer commentedAnd there was me thinking i was going mad. This breaks my site every few days or so. Will test the next release.
Comment #9
Jody LynnCommitted to the D6 branch.
Needs to be tested for D5 version before being committed to D5.
Comment #10
idmacdonald CreditAttribution: idmacdonald commentedThis bug makes the 6.x-1.0-rc2 version of the module completely unusable for me. The bug has been fixed in the 6.x-1.x-dev version of the module. I think it would be good to release another stable version of the module soon. I know I prefer to not to run development versions of modules on live sites. And this bug means that the latest 'stable' version of the module is likely to cause major problems for many sites.
Thanks,
-Ian