From f4e61ed0c0521455534a7a6e2fb7f8fedbd0e62f Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Tue, 31 Mar 2015 00:11:39 -0400
Subject: [PATCH] Issue #2305017 by David_Rothstein, slashrsm, marcingy: Add a
 'file_public_schema' variable to allow bypassing file download access checks
 in managed file upload fields

---
 CHANGELOG.txt            |  3 +++
 modules/file/file.module | 12 +++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index dca1258df02..504e61f6c9e 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,6 +1,9 @@
 
 Drupal 7.36, xxxx-xx-xx (development version)
 -----------------------
+- Added a 'file_public_schema' variable which allows modules that define
+  publicly-accessible streams in hook_stream_wrappers() to bypass file download
+  access checks when processing managed file upload fields.
 - Fixed a bug that caused database query tags not to be added to search-related
   database queries under many circumstances, and which prevented the
   corresponding hook_query_TAG_alter() implementations from being called.
diff --git a/modules/file/file.module b/modules/file/file.module
index 1d5e5698f54..ae452a68325 100644
--- a/modules/file/file.module
+++ b/modules/file/file.module
@@ -519,7 +519,17 @@ function file_managed_file_value(&$element, $input = FALSE, $form_state = NULL)
       // public file) to confirm it exists and that the current user has access
       // to it.
       if (isset($input['fid']) && ($file = file_load($input['fid']))) {
-        if (file_uri_scheme($file->uri) == 'public' || file_download_access($file->uri)) {
+        // By default the public:// file scheme provided by Drupal core is the
+        // only one that allows files to be publicly accessible to everyone, so
+        // it is the only one for which the file access checks are bypassed.
+        // Other modules which provide publicly accessible streams of their own
+        // in hook_stream_wrappers() can add the corresponding scheme to the
+        // 'file_public_schema' variable to bypass file access checks for those
+        // as well. This should only be done for schemes that are completely
+        // publicly accessible, with no download restrictions; for security
+        // reasons all other schemes must go through the file_download_access()
+        // check.
+        if (in_array(file_uri_scheme($file->uri), variable_get('file_public_schema', array('public'))) || file_download_access($file->uri)) {
           $fid = $file->fid;
         }
         // If the current user doesn't have access, don't let the file be