Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.When handling an image style, image_file_download checks the access to the original file to determine if the request can be answered rather than denied. However, when it does this check, it only checks for explicit access denial (value of -1), and not for no responses, which is the other case for which file_download considers a file inaccessible.
This can result in the case where access to an original image, uploaded to an image field on a node_access-restricted node, is denied, but access to its image style derivatives is not. I can think of cases where this behavior might actually be desirable, but I can also think of (more) cases where it is not.
Naturally, you could fix this with additional custom hook implementation. However, if others agree that this is a bug, I see a couple ways to approach fixing this, both involving minor changes to image_file_download():
1. Add an array_filter() check alongside the in_array(-1 ...) check when determining if access is denied, or
2. Return -1 when handling original file that is access denied (this seems less obvious and more likely to have unintended consequences to me).
So -- is this in fact a bug, or is this expected behavior? If it's definitely a bug, I can whip up a patch to address it.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | 1710654-2-image_file_dowload_access.patch | 652 bytes | epieddy |
Comments
Comment #1
epieddy CreditAttribution: epieddy commentedHi,
Same here.
In my opinion it is a bug. I made a patch.