Contrib.social

Any user can download without permission

Open on Drupal.org →
Created on 15 October 2024, 2 months ago

Problem/Motivation

Fresh install on Drupal 10.3.6, tested with the default Image field on the Article content type, and with a newly added simple File upload field there. Both could be downloaded by permissioned and non-permissioned user roles, even anons.

Not sure if this is a bug or it works as intended and we just need some documentation, like maybe having a private file system is a pre-requisite? 🤷🏻‍♂️

🐛 Bug report
Status

Active

Version

2.0

Component

Code

Created by

🇮🇹Italy kopeboy Milan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @kopeboy
  • Comment 2 months ago
    🇮🇳India arunsahijpal

    Hi @kopeboy,
    If you configure private file system then also anonymous user is able to download the file.

  • Comment 2 months ago
    🇮🇹Italy kopeboy Milan

    I think you didn't get my point.

    Look at this permission:

    If I don't enable that for authenticated users, I would expect them to NOT see the file download link, but that is not the case: they can see & download the image & file fields that use the formatter provided by this module.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024