Currently the check to node_access() in filefield_file_download() does not correctly check the visibility of the node. The logic here is a little flawed:

      if ($denied == FALSE && $node = node_load($content['nid']) && node_access('view', $node)) {
        // You don't have permission to view the node this file is attached to.
        $denied = TRUE;
      }

Node access will return FALSE if $node is not visible to the current user. However, there seem to be some issues on some versions of php with the use of variable build-up in the if statement, and I couldn't get this to work by just switching it to !node_access. When I first started var_dump()ing the $node inside, I was getting TRUE instead of a full object.

Anyway, the following logic is almost as efficient, and has the added benefit of always working:

      if ($denied == FALSE && $node = node_load($content['nid'])) {
        // You don't have permission to view the node this file is attached to.
        $denied = !node_access('view', $node);
      }

Patch coming shortly.

Comments

quicksketch’s picture

quicksketch
he/him
commented
Status: Active » Fixed

This has already been corrected. See #516104: Node access check for private files does not check node_access().

joshk’s picture

joshk commented
Version: 6.x-3.1 » 6.x-3.x-dev
Status: Fixed » Closed (duplicate)

NM, this is fixed in head.