I urgently needed a solution to protect some CCK file fields with the same permissions as the nodes and fields, so I've hack together a patch for private_upload that does this.

One thing I've had to do is use Apache RewriteEngine in the .htaccess file. This may not be ideal for all setups.

This is attempt #1, I've done only basic testing nothing extensive but it seems to work.

CommentFileSizeAuthor
private_upload-cck-fields.diff2.6 KBasciikewl
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

YesCT’s picture

YesCT CreditAttribution: YesCT commented

subscribing

m2calabr’s picture

m2calabr CreditAttribution: m2calabr commented
Status: Needs review » Reviewed & tested by the community

I have applied and tested this patch and it works great. I would love for this to be included in the next version.

slucas’s picture

slucas CreditAttribution: slucas commented
Status: Reviewed & tested by the community » Needs review

I've tested this patch on dev version, it doesn't work for me.
The problem is that the file is never accessible (the .htaccess don't get replace ?)
....
After lot's of tests, I realize that this patch need to have two module installed
if (module_exists('content') && module_exists('filefield_paths')) {

I don't really underestand why filefield_paths is mandatory, nor why they is not filefield in the condition, but I realized that filefield_paths was missing in my installation so this condition was not tested TRUE.
So I install it.

But after that the contrary behavior occured, the file is always accessible.
I tested also with an attachement file (in the same node than the cck file field), the access control is correct for it.

I don't know exactly what do really the access restriction hook_file_download ?
Does this hook is being called ?

Can you help me de debug this ?