From c3fa160dca988c221d7a34c327fd8c81a4df2483 Mon Sep 17 00:00:00 2001 From: webchick Date: Tue, 28 Feb 2012 10:17:41 -0800 Subject: [PATCH] Issue #1425330 by swentel, grendzy, davereid, wojtha, c960657: Fixed Apply Aggregator and OpenID fixes from DRUPAL-SA-CORE-2012-001. --- core/modules/file/file.api.php | 12 ++++++------ core/modules/file/file.module | 21 ++++++++++++--------- core/modules/file/tests/file.test | 15 ++++++++++++++- 3 files changed, 32 insertions(+), 16 deletions(-) diff --git a/core/modules/file/file.api.php b/core/modules/file/file.api.php index 7f20d83f852..72aae40c9b1 100644 --- a/core/modules/file/file.api.php +++ b/core/modules/file/file.api.php @@ -12,8 +12,8 @@ * file is referenced, e.g., only users with access to a node should be allowed * to download files attached to that node. * - * @param $field - * The field to which the file belongs. + * @param array $file_item + * The array of information about the file to check access for. * @param $entity_type * The type of $entity; for example, 'node' or 'user'. * @param $entity @@ -26,7 +26,7 @@ * * @see hook_field_access(). */ -function hook_file_download_access($field, $entity_type, $entity) { +function hook_file_download_access($file_item, $entity_type, $entity) { if ($entity_type == 'node') { return node_access('view', $entity); } @@ -45,8 +45,8 @@ function hook_file_download_access($field, $entity_type, $entity) { * An array of grants gathered by hook_file_download_access(). The array is * keyed by the module that defines the entity type's access control; the * values are Boolean grant responses for each module. - * @param $field - * The field to which the file belongs. + * @param array $file_item + * The array of information about the file to alter access for. * @param $entity_type * The type of $entity; for example, 'node' or 'user'. * @param $entity @@ -58,7 +58,7 @@ function hook_file_download_access($field, $entity_type, $entity) { * module's value in addition to other grants or to overwrite the values set * by other modules. */ -function hook_file_download_access_alter(&$grants, $field, $entity_type, $entity) { +function hook_file_download_access_alter(&$grants, $file_item, $entity_type, $entity) { // For our example module, we always enforce the rules set by node module. if (isset($grants['node'])) { $grants = array('node' => $grants['node']); diff --git a/core/modules/file/file.module b/core/modules/file/file.module index c9518074221..485639b04d4 100644 --- a/core/modules/file/file.module +++ b/core/modules/file/file.module @@ -164,24 +164,27 @@ function file_file_download($uri, $field_type = 'file') { // Try to load $entity and $field. $entity = entity_load($entity_type, array($id)); $entity = reset($entity); - $field = NULL; + $field = field_info_field($field_name); + + // Load the field item that references the file. + $field_item = NULL; if ($entity) { - // Load all fields for that entity. + // Load all field items for that entity. $field_items = field_get_items($entity_type, $entity, $field_name); // Find the field item with the matching URI. - foreach ($field_items as $field_item) { - if ($field_item['uri'] == $uri) { - $field = field_info_field($field_name); + foreach ($field_items as $item) { + if ($item['uri'] == $uri) { + $field_item = $item; break; } } } - // Check that $entity and $field were loaded successfully and check if - // access to that field is not disallowed. If any of these checks fail, - // stop checking access for this reference. - if (empty($entity) || empty($field) || !field_access('view', $field, $entity_type, $entity)) { + // Check that $entity, $field and $field_item were loaded successfully + // and check if access to that field is not disallowed. If any of these + // checks fail, stop checking access for this reference. + if (empty($entity) || empty($field) || empty($field_item) || !field_access('view', $field, $entity_type, $entity)) { $denied = TRUE; break; } diff --git a/core/modules/file/tests/file.test b/core/modules/file/tests/file.test index 538118a0f2a..7c776d3b4be 100644 --- a/core/modules/file/tests/file.test +++ b/core/modules/file/tests/file.test @@ -1123,7 +1123,7 @@ class FilePrivateTestCase extends FileFieldTestCase { } function setUp() { - parent::setUp('node_access_test'); + parent::setUp(array('node_access_test', 'field_test')); node_access_rebuild(); variable_set('node_access_test_private', TRUE); } @@ -1140,6 +1140,10 @@ class FilePrivateTestCase extends FileFieldTestCase { $field_name = strtolower($this->randomName()); $this->createFileField($field_name, $type_name, array('uri_scheme' => 'private')); + // Create a field with no view access - see field_test_field_access(). + $no_access_field_name = 'field_no_view_access'; + $this->createFileField($no_access_field_name, $type_name, array('uri_scheme' => 'private')); + $test_file = $this->getTestFile('text'); $nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, array('private' => TRUE)); $node = node_load($nid, NULL, TRUE); @@ -1150,5 +1154,14 @@ class FilePrivateTestCase extends FileFieldTestCase { $this->drupalLogOut(); $this->drupalGet(file_create_url($node_file->uri)); $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.')); + + // Test with the field that should deny access through field access. + $this->drupalLogin($this->admin_user); + $nid = $this->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, array('private' => TRUE)); + $node = node_load($nid, NULL, TRUE); + $node_file = (object) $node->{$no_access_field_name}[LANGUAGE_NONE][0]; + // Ensure the file cannot be downloaded. + $this->drupalGet(file_create_url($node_file->uri)); + $this->assertResponse(403, t('Confirmed that access is denied for the file without view field access permission.')); } }