Loading modules/taxonomy/taxonomy.module +9 −0 Original line number Diff line number Diff line Loading @@ -2061,3 +2061,12 @@ function taxonomy_entity_query_alter($query) { unset($conditions['bundle']); } } /** * Implements hook_file_download_access(). */ function taxonomy_file_download_access($field, $entity_type, $entity) { if ($entity_type == 'taxonomy_term') { return user_access('access content'); } } modules/taxonomy/taxonomy.test +72 −0 Original line number Diff line number Diff line Loading @@ -2170,3 +2170,75 @@ class TaxonomyTermCacheUsageTestCase extends TaxonomyWebTestCase { } } /** * Tests appropriate access control to private file fields on a term. */ class TaxonomyPrivateFileTestCase extends TaxonomyWebTestCase { public static function getInfo() { return array( 'name' => 'Taxonomy term private file access', 'description' => 'Verifies private files on terms have appropriate access control.', 'group' => 'Taxonomy', ); } public function setUp() { parent::setUp('taxonomy_test'); // Remove access content permission from registered users. user_role_revoke_permissions(DRUPAL_AUTHENTICATED_RID, array('access content')); $this->vocabulary = $this->createVocabulary(); // Add a field instance to the vocabulary. $field = array( 'field_name' => 'field_test', 'type' => 'image', 'settings' => array( 'uri_scheme' => 'private' ), ); field_create_field($field); $instance = array( 'field_name' => 'field_test', 'entity_type' => 'taxonomy_term', 'label' => 'test', 'bundle' => $this->vocabulary->machine_name, 'widget' => array( 'type' => 'image_image', 'settings' => array(), ), ); field_create_instance($instance); } /** * Tests access to a private file on a taxonomy term entity. */ public function testTaxonomyImageAccess() { $user = $this->drupalCreateUser(array('administer site configuration', 'administer taxonomy', 'access user profiles')); $this->drupalLogin($user); // Create a term and upload the image. $term = $this->createTerm($this->vocabulary); $files = $this->drupalGetTestFiles('image'); $image = array_pop($files); $edit['files[field_test_' . LANGUAGE_NONE . '_0]'] = drupal_realpath($image->uri); $this->drupalPost('taxonomy/term/' . $term->tid . '/edit', $edit, t('Save')); $term = taxonomy_term_load($term->tid); $this->assertText(t('Updated term @name.', array('@name' => $term->name))); // Create a user that should have access to the file and one that doesn't. $access_user = $this->drupalCreateUser(array('access content')); $no_access_user = $this->drupalCreateUser(); $image = file_load($term->field_test[LANGUAGE_NONE][0]['fid']); $image_url = file_create_url($image->uri); $this->drupalLogin($access_user); $this->drupalGet($image_url); $this->assertResponse(200, 'Private image on term is accessible with right permission'); $this->drupalLogin($no_access_user); $this->drupalGet($image_url); $this->assertResponse(403, 'Private image on term not accessible without right permission'); } } Loading
modules/taxonomy/taxonomy.module +9 −0 Original line number Diff line number Diff line Loading @@ -2061,3 +2061,12 @@ function taxonomy_entity_query_alter($query) { unset($conditions['bundle']); } } /** * Implements hook_file_download_access(). */ function taxonomy_file_download_access($field, $entity_type, $entity) { if ($entity_type == 'taxonomy_term') { return user_access('access content'); } }
modules/taxonomy/taxonomy.test +72 −0 Original line number Diff line number Diff line Loading @@ -2170,3 +2170,75 @@ class TaxonomyTermCacheUsageTestCase extends TaxonomyWebTestCase { } } /** * Tests appropriate access control to private file fields on a term. */ class TaxonomyPrivateFileTestCase extends TaxonomyWebTestCase { public static function getInfo() { return array( 'name' => 'Taxonomy term private file access', 'description' => 'Verifies private files on terms have appropriate access control.', 'group' => 'Taxonomy', ); } public function setUp() { parent::setUp('taxonomy_test'); // Remove access content permission from registered users. user_role_revoke_permissions(DRUPAL_AUTHENTICATED_RID, array('access content')); $this->vocabulary = $this->createVocabulary(); // Add a field instance to the vocabulary. $field = array( 'field_name' => 'field_test', 'type' => 'image', 'settings' => array( 'uri_scheme' => 'private' ), ); field_create_field($field); $instance = array( 'field_name' => 'field_test', 'entity_type' => 'taxonomy_term', 'label' => 'test', 'bundle' => $this->vocabulary->machine_name, 'widget' => array( 'type' => 'image_image', 'settings' => array(), ), ); field_create_instance($instance); } /** * Tests access to a private file on a taxonomy term entity. */ public function testTaxonomyImageAccess() { $user = $this->drupalCreateUser(array('administer site configuration', 'administer taxonomy', 'access user profiles')); $this->drupalLogin($user); // Create a term and upload the image. $term = $this->createTerm($this->vocabulary); $files = $this->drupalGetTestFiles('image'); $image = array_pop($files); $edit['files[field_test_' . LANGUAGE_NONE . '_0]'] = drupal_realpath($image->uri); $this->drupalPost('taxonomy/term/' . $term->tid . '/edit', $edit, t('Save')); $term = taxonomy_term_load($term->tid); $this->assertText(t('Updated term @name.', array('@name' => $term->name))); // Create a user that should have access to the file and one that doesn't. $access_user = $this->drupalCreateUser(array('access content')); $no_access_user = $this->drupalCreateUser(); $image = file_load($term->field_test[LANGUAGE_NONE][0]['fid']); $image_url = file_create_url($image->uri); $this->drupalLogin($access_user); $this->drupalGet($image_url); $this->assertResponse(200, 'Private image on term is accessible with right permission'); $this->drupalLogin($no_access_user); $this->drupalGet($image_url); $this->assertResponse(403, 'Private image on term not accessible without right permission'); } }
