Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2305017 by David_Rothstein, slashrsm, marcingy: Add a 'file_public_schema' variable to allow bypassing file download access checks in managed file upload fields

merge-requests/26/head
David Rothstein 2015-03-31 00:11:39 -04:00
parent 668db719eb
commit f4e61ed0c0
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.txt
View File

@ -1,6 +1,9 @@
Drupal 7.36, xxxx-xx-xx (development version)
-----------------------
- Added a 'file_public_schema' variable which allows modules that define
publicly-accessible streams in hook_stream_wrappers() to bypass file download
access checks when processing managed file upload fields.
- Fixed a bug that caused database query tags not to be added to search-related
database queries under many circumstances, and which prevented the
corresponding hook_query_TAG_alter() implementations from being called.

12
modules/file/file.module
View File

@ -519,7 +519,17 @@ function file_managed_file_value(&$element, $input = FALSE, $form_state = NULL)
// public file) to confirm it exists and that the current user has access
// to it.
if (isset($input['fid']) && ($file = file_load($input['fid']))) {
if (file_uri_scheme($file->uri) == 'public' || file_download_access($file->uri)) {
// By default the public:// file scheme provided by Drupal core is the
// only one that allows files to be publicly accessible to everyone, so
// it is the only one for which the file access checks are bypassed.
// Other modules which provide publicly accessible streams of their own
// in hook_stream_wrappers() can add the corresponding scheme to the
// 'file_public_schema' variable to bypass file access checks for those
// as well. This should only be done for schemes that are completely
// publicly accessible, with no download restrictions; for security
// reasons all other schemes must go through the file_download_access()
// check.
if (in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) || file_download_access($file->uri)) {
$fid = $file->fid;
}
// If the current user doesn't have access, don't let the file be