Index: filefield_widget.inc
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/filefield/filefield_widget.inc,v
retrieving revision 1.71
diff -u -r1.71 filefield_widget.inc
--- filefield_widget.inc	28 Mar 2009 06:25:23 -0000	1.71
+++ filefield_widget.inc	29 Mar 2009 00:45:39 -0000
@@ -79,6 +79,12 @@
 function _filefield_widget_settings_file_path_validate($element, &$form_state) {
   // Strip slashes from the beginning and end of $widget['file_path']
   $form_state['values']['file_path'] = trim($form_state['values']['file_path'], '\\/');
+
+  // Do not allow the file path to be the same as the file_directory_path().
+  // This causes all sorts of problems with things like file_create_url().
+  if (strpos($form_state['values']['file_path'], file_directory_path()) === 0) {
+    form_error($element, t('The file path (@file_path) cannot start with the system files directory (@files_directory), as this may cause conflicts when building file URLs.', array('@file_path' => $form_state['values']['file_path'], '@files_directory' => file_directory_path())));
+  }
 }
 
 function _filefield_widget_settings_max_filesize_per_file_validate($element, &$form_state) {
@@ -165,6 +171,7 @@
     if ($fid = filefield_save_upload($element)) {
       $item['fid'] = $fid;
     }
+
     // Load file if the FID has changed so that it can be saved by CCK.
     $file = field_file_load($item['fid']);
 
@@ -252,8 +259,12 @@
   $element['filefield_upload']['#access'] = empty($item['fid']);
   $element['filefield_remove']['#access'] = !empty($item['fid']);
 
-  // Figure out our fid...
-  $element['fid'] = array('#type' => 'hidden', '#value' => $item['fid']);
+  // Set the FID.
+  $element['fid'] = array(
+    '#type' => 'hidden',
+    '#value' => $item['fid'],
+    '#element_validate' => array('filefield_widget_validate_fid'),
+  );
 
   if ($item['fid'] != 0) {
     $element['preview'] = array(
@@ -320,8 +331,23 @@
 /**
  * An #element_validate callback for the filefield_widget field.
  */
-function filefield_widget_validate($element, &$form_state) {
-  // Currently all handled by filefield_widget_upload_validators().
+function filefield_widget_validate(&$element, &$form_state) {
+  // If referencing an existing file, only allow if there are existing
+  // references. This prevents unmanaged files (outside of FileField) from being
+  // deleted if this node were to be deleted.
+  if (!empty($element['fid']['#value'])) {
+    $field = content_fields($element['#field_name'], $element['#type_name']);
+    if ($file = field_file_load($element['fid']['#value'])) {
+      $file = (object) $file;
+      // TODO: Currently fields can only reference files by the same field.
+      if ($file->status == FILE_STATUS_PERMANENT && field_file_references($file, $field) == 0) {
+        form_error($element, t('Referencing to the file used the %field field is not allowed.', array('%field' => $element['#title'])));
+      }
+    }
+    else {
+      form_error($element, t('The file referenced by the %field field does not exist.', array('%field' => $element['#title'])));
+    }
+  }
 }
 
 /**