Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In image_style_deliver() hook_file_download() is invoked with a URL that does not contain any style information. Though it looks to me this information should be there. Could someone please check if this is intended behaviour? I thought it would be possible to grant access depending on the style, e.g. to block access to hi-res originals.
$image_uri = $scheme . '://' . $target;
$derivative_uri = image_style_path($style['name'], $image_uri);
// If using the private scheme, let other modules provide headers and
// control access to the file.
if ($scheme == 'private') {
if (file_exists($derivative_uri)) {
file_download($scheme, file_uri_target($derivative_uri));
}
else {
$headers = module_invoke_all('file_download', $image_uri);
Comments
Comment #1
Stefan Freudenberg CreditAttribution: Stefan Freudenberg commentedChanging to bug so maybe someone looks at that.
Comment #2
johnvNote that the mentioned lines are only for private files. For private files, the access to the image_style is only granted if the user has access to the original image.
So, it calls all hook_file_download's for the original $image_uri (which does not have a style).
It seems like this could be done simpler/cheaper:
- call hook_file_download_access's , but the file module itself doesn't have this hook as a separate function.
- Or, simply call file_download($scheme, $image_uri));
Comment #3
tomas.teicher CreditAttribution: tomas.teicher commentedWhat is the workaround if I want to skip checking access of original image? Even for the price of changing core function with patch?
Can anybody help?
thanks
Tomas
Comment #4
Sam152 CreditAttribution: Sam152 commentedThis is still a problem in 8.1. Can be fixed there and then backported.
Comment #14
quietone CreditAttribution: quietone at PreviousNext commentedimage_style_deliver was removed in #1987712: Convert file_download() to a new style controller in Drupal 8.x with no replacement. Looking at the patch in that issue it did not invoke the file_download anymore. I could not find when that was removed.
Therefore, closing as outdated. If this is incorrect reopen the issue, by setting the status to 'Active', and add a comment explaining what still needs to be done.
Thanks!