[drupal-devel] restricting access to file downloads with flexinode

Gerhard Killesreiter killesreiter at physik.uni-freiburg.de
Fri Aug 5 17:37:21 UTC 2005



On Fri, 5 Aug 2005 drupal at dave-cohen.com wrote:
> On Tue, 2 Aug 2005 20:18:59 +0200, "Gerhard Killesreiter"
> <killesreiter at physik.uni-freiburg.de> said:
> >
> >
> > On Tue, 2 Aug 2005, David Cohen wrote:
> >
> > > My problem is the uploaded files.  By default, anyone can download the
> > > files uploaded via flexinode.  I never show an anonymous user the link
> > > to a flash file, but if they type "system/files?file=private-file.swf"
> > > in the URL, they'll be able to download it anyway.
> >
> > IIRC this was fixed a while ago.
>
> I didn't mean to say its a shortcoming of Drupal core, but rather of
> flexinode, that any file uploaded via flexinode can be downloaded by
> anyone.

That is what I meant:
http://cvs.drupal.org/viewcvs/drupal/contributions/modules/flexinode/flexinode.module?rev=1.50&view=log

See the commits to  1.49,  1.46.2.2, 1.36.2.5

Cheers,
	Gerhard



More information about the drupal-devel mailing list