Title says it all really. The only way I can allow anonymous download or view for private documents is to give the user "bypass file access control" permission. Awk.

CommentFileSizeAuthor
#2 allow-anonymous-private-file-access-2031919-1.patch1.28 KBklaasvw

Comments

johnpitcairn’s picture

johnpitcairn commented
Title: file/fid/download: access denied for user with "view private files" and "Document: download any file" » Access denied for anonymous users with "view private files" and "Document: download any file" permissions

File entity will also deny access to the direct file url (system/files/path/to/file) for anonymous users who have "view private files" permission.

file_entity_file_download() checks access by passing the "view" op to file_entity_access() - even though it is possible to grant the appropriate view permission to anonymous users, this will be ignored:

    if (!empty($wrapper['private'])) {
      // For private files, users can view private files if the
      // user is not anonymous, and has the 'view private files' permission.
      if (!empty($account->uid) && user_access('view private files', $account)) {
        return $rights[$account->uid][$cache_id][$op] = TRUE;
      }

View access at file/fid is denied because in that case file_entity_file_entity_access() returns FILE_ENTITY_ACCESS_IGNORE, but that then falls back to the default "view" behavior $account->uid check as above. No anonymous view.

Download access at file/fid/download is denied for reasons I have not yet figured out.

This is a major WTF for site builders. If somebody wants to grant those permissions to anonymous users and is able to do so, the expectation is that they will be honored.

klaasvw’s picture

klaasvw commented
Status: Active » Needs review
StatusFileSize
new allow-anonymous-private-file-access-2031919-1.patch1.28 KB

I had the same issue where anonymous users couldn't download private files, even though they have the permission to do so.

The attached patch will fix this.

johnpitcairn’s picture

johnpitcairn commented

It's certainly easy enough to patch. In my case I implemented hook_file_entity_access() to allow direct access to the file uri.

But I am wondering if this restriction is "by design" for some good reason. If so, the permissions are contradictory and altering the permissions form to disable the anonymous checkboxes could perhaps be considered.

klaasvw’s picture

klaasvw commented

Yeah, would be great to get some maintainer feedback on why this was done.

But even though it's by design, I'm not sure what the point of using a permission is if a role (anonymous) is hardcoded. Personally I would leave this to the site builder to decide, or at the very minimum provide a default when installing the module.

havran’s picture

havran commented

I had same experience.

Ravenight’s picture

Ravenight commented

This patch worked as intended.

mattman’s picture

mattman commented

I would hopefully doubt that the restriction is "by design". As John points out, the permissions are contradictory. The user perception of the permissions is one of explicit control - not implicit.

When a user checks View private files - for anonymous user and also checks Download any files - for anonymous user the expectation should be met.

This is, in my opinion a bug. It adversely affects any module which is implementing hook_file_download(). In my case, my module file_access, which grants or denies access to files on a per role basis, must knowingly implement hook_file_entity_access() in order to operate properly. This shouldn't be the case and file_entity should play nice with other modules.

If a user installs file_entity and does check the expected permissions, this causes modules using hook_file_download() to break because it preempts them.

This should be fixed.

matthewgann’s picture

matthewgann commented

I'm having the same issue but the patch on #2 doesn't seem to work with latest dev (at least for me).

mirzu’s picture

mirzu commented
Status: Needs review » Reviewed & tested by the community

Patch works as expected.

Anonymous user can download files when the anon user has that permission. Take away the permission and their access is also revoked.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented
Status: Reviewed & tested by the community » Fixed

While I don't quite understand why you'd use private files if you are going to allow all anonymous users to download them in the first place, since it defeats the purpose of having private files in the first place, I think this makes sense.

Committed to 7.x-2.x and thanks all! http://drupalcode.org/project/file_entity.git/commit/102c2e4

johnpitcairn’s picture

johnpitcairn commented

Just to clarify: Not all anonymous users. We are using private files because we want to decide whether an anonymous user can download them based on whether the user has previously supplied a name and email address (we check a cookie). If they have, we give them the file. If not, we need to present a form to collect that data.

dave reid’s picture

dave reid
he/him
Primary language English
Location Nebraska USA
commented

Then I assume you're using hook_file_entity_access(), which takes precedence over the above code? I'm confused still why this was even a problem?

johnpitcairn’s picture

johnpitcairn commented

Yes, but it struck me as a major WTF the way that file entity blindly overrides the anonymous permission. Anonymous users have no direct access to file/fid paths, all interaction with downloadable documents uses the system file path, yet file entity blocks access to that unless something explicitly allows it by implementing the file entity hook - not really a logical extension of core's allow-by-default handling for private files, in my view.

Thanks for the fix and commit, appreciated.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

Clarification posted, title change