[drupal-devel] restricting access to file downloads with flexinode

drupal at dave-cohen.com drupal at dave-cohen.com
Fri Aug 5 16:14:55 UTC 2005


Thanks for the info.  I did take a look at the image module.  Using it
as an example, I implemented my node as a custom node, rather than a
flexinode.  While this took a bit longer, I think I've ended up with
something more robust and versatile.

More comments inline...

On Tue, 2 Aug 2005 20:18:59 +0200, "Gerhard Killesreiter"
<killesreiter at physik.uni-freiburg.de> said:
> On Tue, 2 Aug 2005, David Cohen wrote:
> > My problem is the uploaded files.  By default, anyone can download the
> > files uploaded via flexinode.  I never show an anonymous user the link
> > to a flash file, but if they type "system/files?file=private-file.swf"
> > in the URL, they'll be able to download it anyway.
> IIRC this was fixed a while ago.

I didn't mean to say its a shortcoming of Drupal core, but rather of
flexinode, that any file uploaded via flexinode can be downloaded by
anyone.  Its simply because the download hook has no check for
permission.  Interestingly, the image module does the same thing.  For
instance, with my newly written custom mode I implement a download hook
that returns -1 when an unauthorized user tries to download on of my
node's images.  But the image module download hook also allows users to
download images.  If it is called before (or after) my hook, the user
will be able to download the file.  This can be fixed by having the
image module behave a little smarter, I think.

> > My second problem is that lots of files will be uploaded, and eventually
> > the files directory will be a real mess.  So I want to control where
> > each of these files goes.  For instance, the previews could all go to
> > 'files/preview_images' and the movies to 'files/videos'.
> Sure, look at image.module.

Good advice, thanks.  There is still the limit that all files are
written within the files/ directory.

> > I've address both of these problems in the attached patch to flexinode.
> > I'd appreciate it if some experienced drupal coders would check my work.
> >  I'd like to see something like this checked into the code base.  I hope
> Flexinode is maintained by Jonathan Chaffer who seems to be burried under
> a real lot of work. Your best bet is to create an issue and attach
> patches.

Will do.  I'll create issues for all the problems I mention.  But
they're not major problems.  I've managed to get my app working well
despite them.

Thanks again,


More information about the drupal-devel mailing list