#651394: filefield_file_download() is too restrictive when nodes share files.

07083e2f · quicksketch · 8c7a91fb · 07083e2f
Commit 07083e2f authored Jun 16, 2010 by quicksketch
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 7 deletions

filefield.module filefield.module +8 -7

No files found.
--- a/filefield.module
+++ b/filefield.module
@@ -172,7 +172,7 @@ function filefield_file_download($filepath) {
  // denied for ALL nodes containing the file, deny the download as well.
  // Node access checks also include checking for 'access content'.
  $nodes = array();
-  $denied = FALSE;
+  $denied = TRUE;
  foreach ($cck_files as $field_name => $field_files) {
    foreach ($field_files as $revision_id => $content) {
      // Checking separately for each revision is probably not the best idea -
@@ -181,15 +181,16 @@ function filefield_file_download($filepath) {
      if (isset($nodes[$content['nid']])) {
        continue; // Don't check the same node twice.
      }
-      if ($denied == FALSE && ($node = node_load($content['nid'])) && (node_access('view', $node) == FALSE || filefield_view_access($field_name, $node) == FALSE)) {
-        // You don't have permission to view the node this file is attached to.
-        $denied = TRUE;
+      if (($node = node_load($content['nid'])) && (node_access('view', $node) && filefield_view_access($field_name, $node))) {
+        $denied = FALSE;
+        break 2;
      }
      $nodes[$content['nid']] = $node;
    }
-    if ($denied) {
-      return -1;
-    }
+  }
+
+  if ($denied) {
+    return -1;
  }

  // Access is granted.