Issue #1425330 by swentel, grendzy, davereid, wojtha, c960657: Fixed Apply Aggregator and OpenID fixes from DRUPAL-SA-CORE-2012-001.

2012-02-28 10:17:41 -08:00 · 2012-02-28 10:17:41 -08:00 · c3fa160dca
parent b150eb3f94
commit c3fa160dca
3 changed files with 32 additions and 16 deletions
--- a/core/modules/file/file.api.php
+++ b/core/modules/file/file.api.php
@ -12,8 +12,8 @@
 * file is referenced, e.g., only users with access to a node should be allowed
 * to download files attached to that node.
 *
- * @param $field
- *   The field to which the file belongs.
+ * @param array $file_item
+ *   The array of information about the file to check access for.
 * @param $entity_type
 *   The type of $entity; for example, 'node' or 'user'.
 * @param $entity
@ -26,7 +26,7 @@
 *
 * @see hook_field_access().
 */
-function hook_file_download_access($field, $entity_type, $entity) {
+function hook_file_download_access($file_item, $entity_type, $entity) {
  if ($entity_type == 'node') {
    return node_access('view', $entity);
  }
@ -45,8 +45,8 @@ function hook_file_download_access($field, $entity_type, $entity) {
 *   An array of grants gathered by hook_file_download_access(). The array is
 *   keyed by the module that defines the entity type's access control; the
 *   values are Boolean grant responses for each module.
- * @param $field
- *   The field to which the file belongs.
+ * @param array $file_item
+ *   The array of information about the file to alter access for.
 * @param $entity_type
 *   The type of $entity; for example, 'node' or 'user'.
 * @param $entity
@ -58,7 +58,7 @@ function hook_file_download_access($field, $entity_type, $entity) {
 *   module's value in addition to other grants or to overwrite the values set
 *   by other modules.
 */
-function hook_file_download_access_alter(&$grants, $field, $entity_type, $entity) {
+function hook_file_download_access_alter(&$grants, $file_item, $entity_type, $entity) {
  // For our example module, we always enforce the rules set by node module.
  if (isset($grants['node'])) {
    $grants = array('node' => $grants['node']);
--- a/core/modules/file/file.module
+++ b/core/modules/file/file.module
@ -164,24 +164,27 @@ function file_file_download($uri, $field_type = 'file') {
        // Try to load $entity and $field.
        $entity = entity_load($entity_type, array($id));
        $entity = reset($entity);
-        $field = NULL;
+        $field = field_info_field($field_name);
+
+        // Load the field item that references the file.
+        $field_item = NULL;
        if ($entity) {
-          // Load all fields for that entity.
+          // Load all field items for that entity.
          $field_items = field_get_items($entity_type, $entity, $field_name);

          // Find the field item with the matching URI.
-          foreach ($field_items as $field_item) {
-            if ($field_item['uri'] == $uri) {
-              $field = field_info_field($field_name);
+          foreach ($field_items as $item) {
+            if ($item['uri'] == $uri) {
+              $field_item = $item;
              break;
            }
          }
        }

-        // Check that $entity and $field were loaded successfully and check if
-        // access to that field is not disallowed. If any of these checks fail,
-        // stop checking access for this reference.
-        if (empty($entity) || empty($field) || !field_access('view', $field, $entity_type, $entity)) {
+        // Check that $entity, $field and $field_item were loaded successfully
+        // and check if access to that field is not disallowed. If any of these
+        // checks fail, stop checking access for this reference.
+        if (empty($entity) || empty($field) || empty($field_item) || !field_access('view', $field, $entity_type, $entity)) {
          $denied = TRUE;
          break;
        }
--- a/core/modules/file/tests/file.test
+++ b/core/modules/file/tests/file.test
@ -1123,7 +1123,7 @@ class FilePrivateTestCase extends FileFieldTestCase {
  }

  function setUp() {
-    parent::setUp('node_access_test');
+    parent::setUp(array('node_access_test', 'field_test'));
    node_access_rebuild();
    variable_set('node_access_test_private', TRUE);
  }
@ -1140,6 +1140,10 @@ class FilePrivateTestCase extends FileFieldTestCase {
    $field_name = strtolower($this->randomName());
    $this->createFileField($field_name, $type_name, array('uri_scheme' => 'private'));

+    // Create a field with no view access - see field_test_field_access().
+    $no_access_field_name = 'field_no_view_access';
+    $this->createFileField($no_access_field_name, $type_name, array('uri_scheme' => 'private'));
+
    $test_file = $this->getTestFile('text');
    $nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, array('private' => TRUE));
    $node = node_load($nid, NULL, TRUE);
@ -1150,5 +1154,14 @@ class FilePrivateTestCase extends FileFieldTestCase {
    $this->drupalLogOut();
    $this->drupalGet(file_create_url($node_file->uri));
    $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.'));
+
+    // Test with the field that should deny access through field access.
+    $this->drupalLogin($this->admin_user);
+    $nid = $this->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, array('private' => TRUE));
+    $node = node_load($nid, NULL, TRUE);
+    $node_file = (object) $node->{$no_access_field_name}[LANGUAGE_NONE][0];
+    // Ensure the file cannot be downloaded.
+    $this->drupalGet(file_create_url($node_file->uri));
+    $this->assertResponse(403, t('Confirmed that access is denied for the file without view field access permission.'));
  }
 }