A user viewing an image at for example example.com/node/1234, if he knows Drupal, can get the original by example.com/node/1234?size=_original. This may be problematic for professional photographers wanting to protect their creation.

With the patch in drupal.org/node/51541 the "Allow user to view original" setting (broken until now in 4.7) will be restored. But this code does prevent the access using ?size=_original.

I am ready to provide a patch, but as I don't know yet very well Drupral, I would like to know if it is sufficient to put a check like if (user_access('view original images') in the image_view hook?

Should this issue be classified as "critical"?

Comments

mcurry’s picture

mcurry commented

*subscribe*

I have seen this problem in the Drupal 5 version as well - is there a known fix for this? It seems that the module should block access to ?size=_original if the current user does not have proper permissions.

drewish’s picture

drewish commented

yeah this is a bug. i've got a fix started but it touches a lot of code so i'll need to do some more testing.

drewish’s picture

drewish commented
Status: Active » Closed (fixed)

this was fixed by http://drupal.org/node/54241

mcurry’s picture

mcurry commented

This issue is fixed by this issue?

drewish’s picture

drewish commented

whoops, wrong link, but yeah it should be fixed.

Hetta’s picture

Hetta commented

Sorry, where is this fixed? Thanks!

drewish’s picture

drewish commented

http://drupal.org/node/86283