We use a combination of FileField, Protected Download, and CCK Field Permissions to create a special field for uploading documents which can only be seen by paid subscribers. This subscriber-only upload field is attached to the Forum topic content type.

This has worked great in the past, but a recent upgrade has uncovered a problem. Standard authenticated users who are attempting to create a new forum post get the following JavaScript error message:

Message: 'undefined' is null or not an object
Line: 31
Char: 3
Code: 0
URI: /misc/drupal.js

Subscribers and admins do not have this problem, only authenticated users. When debugging drupal.js, I found that the problem is happening in Drupal.redirectFormButton = function (uri, button, handler). At this point filefield.js is attempting to be loaded, and since there is no button for FileField (authenticated users do not have this functionality), it spits out an error message. The button is undefined because filefield.js should not be loading.

My question is, why is filefield.js loading at all for a user who does not have access to it? It should be bypassed and only loaded for those who have the ability to use it. As a temporary fix, I made the following edit (hack) in the filefield_widget function in filefield.module around line 379:

    case 'form':
      if(user_has_role('admin') || user_has_role('content editor')) {
        return  _filefield_widget_form($node, $field, $items);
      }

Obviously this is a pretty bad hack, as it depends directly on role names and uses user_has_role, a custom function I created to identify the roles of the current user. The right way to do this would be to check whether or not the current user has access to the current FileField widget, and only load the widget form if they do. Gives you a starting point if nothing else.

Comments

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Priority: Critical » Normal

My question is, why is filefield.js loading at all for a user who does not have access to it?

Probably because in Drupal 5, the concepts of field-level access were still very new (and buggy). CCK was responsible for the rendering of the form (and the access control), so it was probably calling the form even it wasn't used, then setting a #access property.

I'll put this on the list of things to do, but my interest in Drupal 5 is now extremely low. Patches would be appreciated.

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Status: Active » Closed (won't fix)

The Drupal 5 version is no longer being actively developed, considering the complexity of the setup, I doubt this problem will ever be fixed. Please reopen if a patch can be provided, otherwise this will remain unfixed.

light-blue’s picture

light-blue CreditAttribution: light-blue commented

thank you ron_s! You saved me a ton of time identifying this problem. Here's a (slightly) less bad hack:

at the top of that function, put

global $user;

then

    case 'form':
      //return  _filefield_widget_form($node, $field, $items);
      if(in_array('YOUR_ROLE_HERE',$user->roles) || in_array('YOUR_ROLE_HERE',$user->roles)) {
        return  _filefield_widget_form($node, $field, $items);
      }
tjvaichus’s picture

tjvaichus CreditAttribution: tjvaichus commented

light-blue

I am getting a similar error ( 'undefined' is not an object ) with Drupal 7 --- where would I place the fix?

Thank you,
Tom