Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
With recent releases: e.g. 7.23, 7.24, a fresh install site will run into 403 access denied, when private file system is enabled.
Steps to reproduce the issue:
1. D7.24 fresh install
2. Enable private file system at /admin/config/media/file-system, set the Private file system path: sites/default/files/private
3. Change Default download method to Private local files served by Drupal.
4. Try to edit the default image style "large" at /admin/config/media/image-styles/edit/large
5. The sample image is broken.
Other info: Based on previous comments, D7.15 does not have this bug.
Comment | File | Size | Author |
---|---|---|---|
#61 | 1440312-61.patch | 3.58 KB | tameeshb |
#54 | drupal-1440312-interdiff-48-54.txt | 2.34 KB | RoSk0 |
#54 | drupal-1440312-54.patch | 3.57 KB | RoSk0 |
Comments
Comment #1
mermentau CreditAttribution: mermentau commentedHave a development 7.12 that Configuration>Media>File System is set with Default download method set to Private and was doing fine for a couple of weeks. Yesterday I edited a view and saved it and then all the images that were supposed to be served from the private directory were not showing and giving an access denied in the error log. Switching the Default download method to Public seemed to fix the problem just like the OP said.
I have another install that is very similar and the Default download set to private has yet to cause the issue.
@graper, Thanks for filing this issue. It ended some hours of frustration.
Comment #2
hedley CreditAttribution: hedley commentedI'm also experiencing this but only on Taxonomy terms, changing the default download method to public doesn't resolve it.
Tested on a fresh Drupal 7.10 installation and 7.12
This is also reported in the log just after the access denied is reported:
Warning: Cannot modify header information - headers already sent by (output started at /drupal/common.inc:2575) in drupal_send_headers() (line 1225 of /drupal/includes/bootstrap.inc).
Comment #3
graper CreditAttribution: graper commentedHedley,
is your "access denied" message coming because of a file field that you have on a node, but you're just accessing it via the taxo term page?
Comment #4
hedley CreditAttribution: hedley commentedIt's happening with a file field on a taxonomy bundle not a node, file fields on a node are working fine for me.
Comment #5
jeff.maes CreditAttribution: jeff.maes commentedIt's also happening with a file field on users.
Comment #6
DeNelo CreditAttribution: DeNelo commentedFiles added through a file field set to Private can only be downloaded by the admin. They should be accessible to authenticated users, but they are not - they get a 403.
Default dl method is Public.
Comment #7
DeNelo CreditAttribution: DeNelo commentedHmmm - seems to work fine now. Must have been a cache mess-up - switching between authorized and unauthorized users a lot.
Comment #8
nonzod CreditAttribution: nonzod commentedI've same issue with files uploaded programmatically.
I create a file after an export, with
and return a correct file object (and the file exist in the directory), then I try to download the file via http://domain.tld/system/files/filename.txt with the admin user and recive access denied in the recent logs ...
I tried to put private directory inside and outside the sites/default/files/ dir but is the same, I'm sure that isn't a filesystem permissions problem's (tried chmod 777 ad apache user as owner).
someone can explain me why?
Comment #9
Jake-B CreditAttribution: Jake-B commentedI think the problem might be in the function file_get_file_reference. My thought process:
For me, appending "->addMetaData('account', user_load(1))" at the end of the EntityQuery seemed to fix the issue... but I don't know the core well enough to know if this is a good idea, fix, or just a bad idea (security problem).
Comment #10
Jake-B CreditAttribution: Jake-B commentedHere is my attempt at a patch that fixes this issue for me.
This is my first attempt to contribute, so be kind. I'll leave it up to the Drupal core and file module gurus to determine if this is really a needed fix or just a poor workaround.
The file_get_file_references function is documented as "Retrieves a list of references to a file". With a file field attached to the comment entity, this function was returning an empty set for users other than admin users.
My understanding is that this list of references is then used by the file module to determine if the user has access to any of the parent entities to which the file is attached. Its possible that the real problem is in "EntityFieldQuery", and that it is not properly finding that the user has access to the entity, so it is returning null.
Since the module does subsequent access checks on these references using 'file_download_access', I think that this patch allowing allowing the EntityFieldQuery to return all references regardless of security should be okay.
Comments welcome.
Comment #11
Dave Cohen CreditAttribution: Dave Cohen commentedThat patch concerns me, as it loads user 1 and somehow attaches it to the query. The query API is so confusing I have no idea what effect that has. I'm just concerned that it will show private files to a user who really shouldn't be seeing them.
That said, I added an image field to my user entities, and made the storage private. Now, users who upload an image cannot view it, they get access denied.
I can confirm that without the patch, file_get_file_references() returns an empty array. With the patch it seems to work. The file remains hidden from anonymous users. I haven't tested much beyond that. Very interested in a fix.
Comment #12
Dave Cohen CreditAttribution: Dave Cohen commentedI made several attempts to debug this further. I want to see how that patch in #10 affects the queries sent to the database. I was stymied though. I'm unable to get a log of the database queries either with or without that patch applied. Drupal 7 is truly difficult to debug.
I consider this a pretty serious issue. To sum up my particular case: "Image fields on users using private storage cannot be seen by the user who uploads them." I suspect any file uploaded to any entity (except maybe nodes) can only be seen by administrators, if that field uses private storage.
The original post claims, "If the Drupal system is changed to public, the file is still private, but now downloads properly..." This is not the case for me. I have found no workaround, short of patch #10, to allow the user who uploaded an image to his account to see that image.
Comment #13
BerdirWorks fine for me with the latest 7.x, added a private filed to user, uploaded a file and was able to view it.
There was an issue with EFQ in 7.14, make sure that you update to 7.15 before testing.
Comment #14
Dave Cohen CreditAttribution: Dave Cohen commentedYeah, I had been using 7.14. Upgrade to 7.15 fixes problem.
The fix in 7.15 is the same concept as the patch in #10. As far as I can tell, in 7.15 field.module does this to the query:
->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT')
Comment #16
Anonymous (not verified) CreditAttribution: Anonymous commentedSorry to reopen.
I have that problem too. I don't know if it's the nginx config or an internal problem. I use the perusio's config.
I am unable to display any file in the private folder. I have a 403 according to Firebug. So, I can't see my logo, favicon, etc...
Can you help me ?
Thanks.
Comment #17
marcingy CreditAttribution: marcingy commentedComment #18
Shevchuk CreditAttribution: Shevchuk commentedSame issue.. I'm also using Storage API module though, don't know if that could affect.
Comment #19
rivimeyJust wanted to say me too. D7.23, a config with private filesystem setup and the field set to private as well. I had uploaded a Default image to the Image field, which wasn't displaying. I had uploaded the image using the Content type editor's Browse/Upload widget and it appeared in the sites/default/files_private area as expected.
The images were "access denied" even logged in as admin user, and there was no obvious reason for it. Even the access permissions were setup appropriately (i.e. not relying on user/1 behaviour).
Switching the field to public files results in the deafult image being displayed properly.
Comment #20
drupal squirrel CreditAttribution: drupal squirrel commented...and the same here. Have all the very latest versions, permissions are set correctly and only Admin could see private files...
Jake-B's patch fixed the problem for me, and private files get 403 Forbidden for anonymous, so it still seems secure.
EntityFieldQuery returns empty for private files unless user_load(1) is used, or your logged in as Admin.
Bug in EntityFieldQuery?
Comment #21
Renee S CreditAttribution: Renee S commentedI'm seeing the same behaviour as rivimey, default private image isn't displaying, is throwing 403 forbidden even for admin.
eta: on D7.24. Was happening for 7.23 also.
Comment #22
skyredwangI can confirm it's a bug in 7.23, 7.24 but not in 7.15
Comment #23
marcingy CreditAttribution: marcingy commentedDo not change versions please
Comment #24
b.ravanbakhshThis module solved it.
http://drupal.org/project/private_files_download_permission
Comment #25
vsalvans CreditAttribution: vsalvans commentedI'm having the same issues and the private_files_download_permission didn't solve the problem.
It happens on term image field. Every time I upload an image and save the term. I've got no access (as admin too!) and I've got this notice message:
Notice: Array to string conversion in drupal_send_headers() (line 1221 of xxxx/includes/bootstrap.inc).
Permissions on private folder seems ok. Files are uploaded but the system/file module returns access denied.
These are the modules installed:
Thanks!
Comment #26
johnv@surokeen, there is a dedicated issue for the 'term' image: #1327224: Access denied to taxonomy term image
Comment #27
jm_drupal CreditAttribution: jm_drupal commentedHi
I am getting access denied to access private files aswell, private_files_download_permission didn't solve the problem either. Logged in as Super admin/Administrator, still no luck.
Few Drupal settings:
> Drupal version 7.26
>admin/config/media/file-system
--private file system path: /var/www/sitename/sites/default/private
--Default download method set to : Private local files served by Drupal.
>admin/config/media/private-files
--folder_name -> [Logged in Users] selected
>admin/config/media/private-files-download-permission
--Default was: /var/www/sitename/sites/default/private => Added "/private_folder_name" in the box
/private_folder_name -> enabled the user and administrator role
--Folder permission set to 775 recursively
>.htaccess within the private folder:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLink
>Private file URL, eg.: http://sitename/system/files/private-folder-name/filename.pdf
Administrator has full permissions to the site. Still i get 'Access denied' when try to view/download any private files.
Any ideas? Thanks for your time in advance.
Comment #28
atpaust CreditAttribution: atpaust commentedis there any new progresses here on #27 ? I have the same issue. When images files are uploaded to a Private Directory, they were prohibited to anonymous (and authentic user) access. Someone suggest that the restriction to images might be caused by an access control module
Comment #29
rickupdegrove CreditAttribution: rickupdegrove commentedI can reproduce the original issue on drupal-7.32 I chose "other" as the Component since I don't yet know what core module ImageCache became.
The default image style "large" at /admin/config/media/image-styles/edit/large doesn't seem to even generate.
Both of these return a Access denied. The second one if not even real.
http://localhost/system/files/styles/flex_custom/private/modules/image/s...
or
http://localhost/system/files/styles/flex_custom/private/modules/image/n...
Comment #30
marcingy CreditAttribution: marcingy commentedDo change version number please. Stuff is always fixed in dev first and then goes into a release
Comment #31
marcingy CreditAttribution: marcingy commentedComment #32
commonpike CreditAttribution: commonpike commentedAs per #24 or #25, the private_files_download_permission did solve this for me, but only if
Any other subdirectory kept returning permission denied for authenticated users.
.. Is an acceptable workaround for me.
Comment #33
pandaPowder CreditAttribution: pandaPowder commentedConfirmed this is broken on 7.32 as well using simplytest.me and op's steps to repeat.
Comment #34
LGLC CreditAttribution: LGLC commentedIt's still broken in 7.34 and 7.x-dev too. Here's a patch against 7.x-dev to fix the image styles previews at admin/config/media/image-styles.
As for accessing other image styles with the direct URL in to the private file system, this will only work if there's the correct derivative token query. The image download (and therefore the
hook_file_download()
within image.module) won't actually happen unless this image derivative token is present, as checked for inimage_style_deliver()
:The patch does the following:
image_file_download()
deal with the sample image (which wouldn't have had its access granted by any modules due to being outside of the usual private file folder).Comment #35
LGLC CreditAttribution: LGLC commentedJust realised I didn't update the links ('view actual size' and clicking on the image) to use the token. New patch attached.
Comment #36
berte CreditAttribution: berte commentedHi,
I'm jumping in cause I'm facing a similar problem with Drupal 7.34.
1) As admin, I cannot see (got 403) the generated preview within the image styles admin page. Premissions on the file system are set correctly and the images are generated. I just got Forbidden when apache serve them.
=> patch in #35 corrected this.
2) As authenticated user, I cannot see (403 errors) user profile pictures (style is default "Thumbnail"), while as admin I have no problem. Again, permissions on the server are OK.
My private file system is outside the root.
Comment #37
nithinkolekar CreditAttribution: nithinkolekar commentedComment #38
deanflory CreditAttribution: deanflory as a volunteer commentedThis is something that is still important and still being overlooked. It has plagued me in development through the entire D7 experience. If D8 is released before this is fixed it'll never get fixed.
Why is user1 being denied seeing any image? I'm going to try the patch in #35. This error makes using a private file system truly damaged and at times hinders productivity (can't see image previews to choose a background image when using dynamic_background for instance) for admins and end users.
Comment #39
deanflory CreditAttribution: deanflory as a volunteer commentedPatch in #35 did not clear up my issues, nor flushing cache multiple times, nor running cron multiple times. I have one site that won't show any file previews and another that does in certain areas (like dynamic_background on a node, while image styles preview images still do not show up).
Comment #40
Heine CreditAttribution: Heine commentedI can reproduce the reported issue "Image style previews doen't show when using a private file system" on a vanilla Drupal 7.x-dev installation.
However, the root cause for access denied on the style previews, may or may not be related to access issues with other files (avatars, taxonomy terms). For example, avatars not showing are likely due to an issue in Media browser plus #2595131: "File (Field) Paths" module broken by "Media Browser Plus" 7.x-3.0-beta3.
Please keep the issue focus on the style previews and open additional issues for other files.
Comment #41
Heine CreditAttribution: Heine commentedImage style samples do not show up when private files are enabled because:
Comment #42
Heine CreditAttribution: Heine commentedHiding patch #10 because it is off-topic.
Comment #43
pbcelery CreditAttribution: pbcelery commentedBump. I have a simple Drupal 7 site...we can see private files, after login, but core image styles and avatars are broken.
Comment #44
salvisI can still (or again?) reproduce this problem in 7.51-dev on Windows (which means it's not an OS file system issue):
The log says
#35 makes the thumbnail show up. Thanks, LGLC!
Comment #45
arne_hortell CreditAttribution: arne_hortell commentedI tested the patch #35 above and it didnt work for me, 7.50 as is
BUT
The code changes in the patch worked when i edited the files manually
Comment #46
bdanin CreditAttribution: bdanin commentedRunning Drupal 7.50, the patch from #35 worked well for me and fixed this, thanks!
Comment #47
tajinder.minhas CreditAttribution: tajinder.minhas as a volunteer and at SDG Corporation commentedRunning Drupal 7.52, i have applied patch 35 by editing files manually and refresh cache but still getting access denied message and image is broken
Comment #48
tajinder.minhas CreditAttribution: tajinder.minhas as a volunteer and at SDG Corporation commentedApplied Patch #35 after changing code manually for 7.52 and there were 2 semi colons at the end of the line
and an extra line after
So removed in the patch attached. And it is getting applied cleanly. Please review the patch
Comment #49
rivimeytajinder, many thanks for your contribution. I know it is a pain, but an interdiff.txt file would be helpful in this sort of situation (i.e. a patch that others have worked on and agreed is good that you are proposing a change for). It just makes it easier to spot (and thus easier to approve) the change you made.
An interdiff file is a diff between the original patch state and the new patch state (which is not quite the same as a 'diff' between the two patch files!. If you're using git, and your latest change is 1 commit, then 'git diff HEAD~1' does the trick. ... or perhaps just a 'git diff' if you committed the earlier patch and not your current change.
Comment #50
tajinder.minhas CreditAttribution: tajinder.minhas as a volunteer and at SDG Corporation commentedHello rivimey,
I am attaching diff.txt file of two patches. I mentioned that patch #35 is working fine but it had an extra line after } and two semi colons at line 291 so i just removed both of these two points and created patch again.
Comment #51
AshwinB CreditAttribution: AshwinB commentedThe patch from #35 + changes from #50 together works. I tested with Drupal 7.53 and PHP 7.
Comment #52
salvisI just patched 7.54 with #35 without any problems:
I see the two minor issues mentioned by tajinder.minhas, but the patch applies fine.
Comment #53
rivimey@salvis, can you explain why you chose #35 rather than #48, which would seem to be the obvious choice? Is there a problem with #48?
Comment #54
RoSk0Patch applies cleanly and fixes problem.
Attached patch version just fixes minor white space issue and replaces tab with spaces.
Comment #57
RoSk0Those random test failures are really frustrating...
Comment #58
AshwinB CreditAttribution: AshwinB commentedPatch #35 with changes from #50 works good on drupal 7.54. No errors. I am on php7
Comment #59
salvis@rivimey in #53:
No, there is no problem with #48 or #54, the three patches are functionally identical except for cosmetic style guide improvements. The people who weren't able to apply #35, won't be able to apply the later ones either, not because of the patch, but because of their own problems.
My reason for checking #35 again is to get those people to look into their patching process, hoping that they'll be able to apply #54 rather than down-voting it.
Comment #60
Heine CreditAttribution: Heine commentedAmpersands need to be escaped as
&
. Is the preview URL correct when url rewrites are off?Shouldn't the elseif clause also check whether the scheme used for the sample image matches the scheme on $uri?
Comment #61
tameeshb CreditAttribution: tameeshb at Google Summer of Code commentedchanged & to &
Comment #62
tameeshb CreditAttribution: tameeshb at Google Summer of Code commentedComment #63
MikeHauden CreditAttribution: MikeHauden commentedSubscribe.
Comment #64
mzwyssig CreditAttribution: mzwyssig commented#61 works for me. Any idea when this will be implemented ?
Comment #65
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedIt needs a review done.
Comment #66
rivimeyCode looks ok to me, apart from the following:
Line is too long / too complex. Please refactor into components and keep lines under ~ 80 chars
Comment #67
cafuego CreditAttribution: cafuego at United Nations commentedI'm putting this back on RTBC.
Although the line @rivimey mentions is long and complex, it *was* long and complex to begin with, as are other lines in the same file. This issue is to fix a bug that breaks functionality, not to clean up only part of the code.
Comment #68
salvisI agree with @cafuego. the 80-char limit is for comments, not for code.
Comment #69
Donit CreditAttribution: Donit commented#61 doesn't work with encrypted files.
Comment #70
salvisWith #61 I'm seeing
check_plain() already does the escaping.
However, something must have changed in core at some point since 7.54, because even the prior patches have stopped working for me. I'm not getting access denied (as user 1), but the sample derived image is not showing.
Comment #71
joseph.olstadI've tested this with Drupal core with or without file_entity and ctools
Drupal core vanilla 7.39 , private thumnails worked
I used sites/default/files/private for a private folder (this is ok by the way)
repeated test with and without the patch on 7.59 and 7.x dev , still works.
I was unable to reproduce the issue, style previews work for me in the node edit screen, the thumbnail 100x100
and I checked the image path, it was generated through system not /sites/files
This is working as designed as far as I am concerned.
Updating issue status accordingly.
I suggest you review your server filesystem permissions, the web server needs to be able to read and write to the private folder, preferably as private folder owner.
Comment #72
joseph.olstadIn my tests I used sites/default/files/private as the private folder. Drupal will automatically put an .htaccess file and limit read access to this so web users on an apache server will not be able to read this folder.
If you're using nginx or IIS , or some other web server you may have to lock down the permissions , create your own .htaccess equivalent (the file is .htaccess in private)
Comment #73
salvisThank you for the leads. I'm on Apache, and I'll investigate this further, but for now can we agree that the line
in #61 will deliver HTML with a double-escaped ampersand on the admin/config/media/image-styles/edit/medium page?
Comment #74
nithinkolekar CreditAttribution: nithinkolekar commented@joseph.olstad
could you please test with the steps at #1438940-14: Private stored default images give access denied ?