From 07083e2fbfd6304f45b9a8896c4cd4c19337097a Mon Sep 17 00:00:00 2001
From: Nathan Haug <quicksketch@35821.no-reply.drupal.org>
Date: Wed, 16 Jun 2010 23:25:16 +0000
Subject: [PATCH] #651394: filefield_file_download() is too restrictive when
 nodes share files.

---
 filefield.module | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/filefield.module b/filefield.module
index 77ba211..29ab918 100644
--- a/filefield.module
+++ b/filefield.module
@@ -172,7 +172,7 @@ function filefield_file_download($filepath) {
   // denied for ALL nodes containing the file, deny the download as well.
   // Node access checks also include checking for 'access content'.
   $nodes = array();
-  $denied = FALSE;
+  $denied = TRUE;
   foreach ($cck_files as $field_name => $field_files) {
     foreach ($field_files as $revision_id => $content) {
       // Checking separately for each revision is probably not the best idea -
@@ -181,15 +181,16 @@ function filefield_file_download($filepath) {
       if (isset($nodes[$content['nid']])) {
         continue; // Don't check the same node twice.
       }
-      if ($denied == FALSE && ($node = node_load($content['nid'])) && (node_access('view', $node) == FALSE || filefield_view_access($field_name, $node) == FALSE)) {
-        // You don't have permission to view the node this file is attached to.
-        $denied = TRUE;
+      if (($node = node_load($content['nid'])) && (node_access('view', $node) && filefield_view_access($field_name, $node))) {
+        $denied = FALSE;
+        break 2;
       }
       $nodes[$content['nid']] = $node;
     }
-    if ($denied) {
-      return -1;
-    }
+  }
+
+  if ($denied) {
+    return -1;
   }
 
   // Access is granted.
-- 
GitLab