Direct image views not restricted

Hi,

accessing an image directly via a call to
http://example.site/drupal/image/view/57

is possible even when access to node 57 is not allowed by drupal's access control. This means that a user without permissions to access the image node via http://example.site/drupal/node/57 can still access the image via the above link. This includes anonymous users, users from different groups (if using og), etc. Not sure if this was an intended feature, but it seems like a bug to me.

image_menu sets the relevant callback in this case

    $items[] = array('path' => 'image/view', 'title' => t('image'),
                     'access' => user_access('access content'),
                     'type' => MENU_CALLBACK,
                     'callback' => 'image_fetch');

So as long as a user has privileges to 'access content' (most do) they can access the image via the image/view path, currently there's no check against any other privileges.

I updated image_fetch with a check against the node the image belongs to, returning from the function after a call to drupal_access_denied() if the check fails.

/**
 * Fetches an image file, allows "shorthand" image urls such of the form:
 * image/view/$nid/$label
 * (e.g. image/view/25/thumbnail or image/view/14)
 */
function image_fetch($nid = 0, $size = 'preview') {
  if ($nid) {
    $node = node_load(array('nid' => $nid));
    if (!node_access('view',$node)) {   // check against image's parent node
      drupal_access_denied();
      return;
    }
    if ($node->images[$size]) {
      $file = $node->images[$size];
      $headers = image_file_download($file);
      file_transfer($file, $headers);
    }
  }
}

Are there any problems with that?

Patrick

p.s. There was another issue posted for 4.6 at http://drupal.org/node/49881 that is similar but I think has to do with accessing the file directly rather than using the view/image path