Closed (won't fix)
Project:
FileRequest
Version:
master
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
23 Jul 2006 at 11:28 UTC
Updated:
2 Aug 2006 at 10:25 UTC
If the "view upload files" permission is disabled for the active role (anonymous or logged user), the FileRequest module doesn't check this permission. This is a critical bug especially because this module try to fix the standard Drupal way for managing files.
I've a simple small patch for correct this bug.
the code in the function _filerequest_download() is inserted in a "if block":
if (user_access('view uploaded files')) {
[ .... original FileRequest code .... ]
} else {
drupal_access_denied();
return;
}
| Comment | File | Size | Author |
|---|---|---|---|
| filerequest.module.patch.txt | 3.72 KB | finex |
Comments
Comment #1
elmuerte commentedFileRequest doesn't have to check that permission since it's a permission of an other module. The upload module should take care of this. FileRequest uses the exact same security system as the normal private download method does.
Besides, this module would break other modules that also provide files (like user pictures or the image module).