resume download bypasses permissions
Bodo Maass - October 5, 2006 - 14:29
| Project: | FileRequest |
| Version: | 4.7.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
Hi,
I have setup a file that is located outside the public html folders and use drupal's private file download method. If I'm not logged in and enter the url of the file, I get "403 Access Denied", which is correct.
Now I log in, start the download, stop it halfway through and then log out of my drupal site. Now I resume the download and it still continues. This works even if I close my browser, restart it and then resume the download.
Somehow I would expect that resuming the download should not be possible once I have logged out. Or is this an incorrect expectation?