Commit afeed9ed authored by webchick's avatar webchick

Issue #1890754 by Heine, pwolanin, tim.plunkett, Berdir: Fixed Private Images visible by url.

parent 79941b52
...@@ -301,7 +301,8 @@ function image_file_download($uri) { ...@@ -301,7 +301,8 @@ function image_file_download($uri) {
if ($info = image_get_info($uri)) { if ($info = image_get_info($uri)) {
// Check the permissions of the original to grant access to this image. // Check the permissions of the original to grant access to this image.
$headers = module_invoke_all('file_download', $original_uri); $headers = module_invoke_all('file_download', $original_uri);
if (!in_array(-1, $headers)) { // Confirm there's at least one module granting access and none denying access.
if (!empty($headers) && !in_array(-1, $headers)) {
return array( return array(
// Send headers describing the image's size, and MIME-type... // Send headers describing the image's size, and MIME-type...
'Content-Type' => $info['mime_type'], 'Content-Type' => $info['mime_type'],
......
...@@ -136,6 +136,12 @@ function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE) { ...@@ -136,6 +136,12 @@ function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE) {
$this->drupalGet($generate_url); $this->drupalGet($generate_url);
$this->assertResponse(200, 'Image was generated at the URL.'); $this->assertResponse(200, 'Image was generated at the URL.');
// Make sure that access is denied for existing style files if we do not
// have access.
state()->delete('image.test_file_download');
$this->drupalGet($generate_url);
$this->assertResponse(403, 'Confirmed that access is denied for the private image style.');
// Repeat this with a different file that we do not have access to and // Repeat this with a different file that we do not have access to and
// make sure that access is denied. // make sure that access is denied.
$file_noaccess = array_shift($files); $file_noaccess = array_shift($files);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment