Issue #1890754 by Heine, pwolanin, tim.plunkett, Berdir: Fixed Private Images visible by url.
webchick
parent
79941b52b6
commit
afeed9ed44
|
|
@ -301,7 +301,8 @@ function image_file_download($uri) {
|
||||||
if ($info = image_get_info($uri)) {
|
if ($info = image_get_info($uri)) {
|
||||||
// Check the permissions of the original to grant access to this image.
|
// Check the permissions of the original to grant access to this image.
|
||||||
$headers = module_invoke_all('file_download', $original_uri);
|
$headers = module_invoke_all('file_download', $original_uri);
|
||||||
if (!in_array(-1, $headers)) {
|
// Confirm there's at least one module granting access and none denying access.
|
||||||
|
if (!empty($headers) && !in_array(-1, $headers)) {
|
||||||
return array(
|
return array(
|
||||||
// Send headers describing the image's size, and MIME-type...
|
// Send headers describing the image's size, and MIME-type...
|
||||||
'Content-Type' => $info['mime_type'],
|
'Content-Type' => $info['mime_type'],
|
||||||
|
|
|
||||||
|
|
@ -136,6 +136,12 @@ class ImageStylesPathAndUrlTest extends WebTestBase {
|
||||||
$this->drupalGet($generate_url);
|
$this->drupalGet($generate_url);
|
||||||
$this->assertResponse(200, 'Image was generated at the URL.');
|
$this->assertResponse(200, 'Image was generated at the URL.');
|
||||||
|
|
||||||
|
// Make sure that access is denied for existing style files if we do not
|
||||||
|
// have access.
|
||||||
|
state()->delete('image.test_file_download');
|
||||||
|
$this->drupalGet($generate_url);
|
||||||
|
$this->assertResponse(403, 'Confirmed that access is denied for the private image style.');
|
||||||
|
|
||||||
// Repeat this with a different file that we do not have access to and
|
// Repeat this with a different file that we do not have access to and
|
||||||
// make sure that access is denied.
|
// make sure that access is denied.
|
||||||
$file_noaccess = array_shift($files);
|
$file_noaccess = array_shift($files);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue