Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The function _uc_file_download_validate in uc_file doesn't confirm that the user accessing the download is the user that paid for it. As long as the file download is valid, any user (including anon) can download it if they know the URL and no other limits have been reached (IP address cap, etc.).
This isn't inherently a bug (some sites allow anonymous checkout, etc.), but it is somewhat unexpected so it needs to be documented in the module settings.
It seems like the IP address cap is the best way to prevent link sharing right now.
Comments
Comment #1
longwaveLink sharing is mitigated by the fact a link is only ever valid for a single successful download. Once the download is complete, the link becomes invalid and a new token is generated for the next link.