Commit 21137e1a authored by Dries's avatar Dries

- Patch #247095 by drewish ad flobruit: upload module performs permission...

- Patch #247095 by drewish ad flobruit: upload module performs permission checks on files it doesn't control.
parent 757dbee6
......@@ -146,13 +146,13 @@ function _upload_file_limits($user) {
/**
* Implementation of hook_file_download().
*/
function upload_file_download($file) {
if (!user_access('view uploaded files')) {
return -1;
}
$file = file_create_path($file);
function upload_file_download($filepath) {
$filepath = file_create_path($filepath);
$result = db_query("SELECT f.* FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $file);
if ($file = db_fetch_object($result)) {
if (!user_access('view uploaded files')) {
return -1;
}
return array(
'Content-Type: ' . $file->filemime,
'Content-Length: ' . $file->filesize,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment