Contrib.social

hook_file_download() example breaks other modules files

Open on Drupal.org β†’
Created on 7 December 2016, over 8 years ago
Updated 3 June 2024, about 1 year ago

The example for https://api.drupal.org/api/drupal/modules!system!system.api.php/function...

  • Uses file_prepare_directory() to determine if it's managed by the current module but this function will always return false if passed a file
  • Doesn't return NULL if a file is not managed by the current module because it never checks this
  • If the user doesn't have the 'access user profiles' permission they will not be able to see private files managed by another module because it always thinks it manages every file
  • If the user does have 'access user profiles' the 'Content-Type' header is set to NULL so files that aren't images are displayed as binary because it always sets the 'Content-Type' header to NULL

Should be something like:

function hook_file_download($uri) {
  // Check if the file is controlled by the current module.
  $files = file_load_multiple(array(), array('uri' => $uri));
  $file = reset($files);
  if ($file) {
    $usage = file_usage_list($file);
    if (isset($usage['user'])) {
      if (user_access('access user profiles')) {
        $info = image_get_info($uri);
        return array('Content-Type' => $info['mime_type']);
      }
      else {
        // Access to the file is denied.
        return -1;
      }
    }
    else {
      // File is not controlled by the current module
      return NULL;
    }
  }
}
πŸ“Œ Task
Status

Active

Version

7.0 ⚰️

Component
DocumentationΒ  β†’

Last updated about 11 hours ago

No maintainer
Created by

πŸ‡ΊπŸ‡ΈUnited States Reuben Unruh

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024