updated core to 7.58 (right after the site was hacked)
This commit is contained in:
@@ -6,8 +6,8 @@ core = 7.x
|
||||
dependencies[] = field
|
||||
files[] = tests/file.test
|
||||
|
||||
; Information added by Drupal.org packaging script on 2017-06-21
|
||||
version = "7.56"
|
||||
; Information added by Drupal.org packaging script on 2018-03-28
|
||||
version = "7.58"
|
||||
project = "drupal"
|
||||
datestamp = "1498069849"
|
||||
datestamp = "1522264019"
|
||||
|
||||
|
||||
@@ -140,7 +140,7 @@ function file_file_download($uri, $field_type = 'file') {
|
||||
}
|
||||
|
||||
// Find out which (if any) fields of this type contain the file.
|
||||
$references = file_get_file_references($file, NULL, FIELD_LOAD_CURRENT, $field_type);
|
||||
$references = file_get_file_references($file, NULL, FIELD_LOAD_CURRENT, $field_type, FALSE);
|
||||
|
||||
// Stop processing if there are no references in order to avoid returning
|
||||
// headers for files controlled by other modules. Make an exception for
|
||||
@@ -1067,11 +1067,18 @@ function file_icon_map($file) {
|
||||
* @param $field_type
|
||||
* (optional) The name of a field type. If given, limits the reference check
|
||||
* to fields of the given type.
|
||||
* @param $check_access
|
||||
* (optional) A boolean that specifies whether the permissions of the current
|
||||
* user should be checked when retrieving references. If FALSE, all
|
||||
* references to the file are returned. If TRUE, only references from
|
||||
* entities that the current user has access to are returned. Defaults to
|
||||
* TRUE for backwards compatibility reasons, but FALSE is recommended for
|
||||
* most situations.
|
||||
*
|
||||
* @return
|
||||
* An integer value.
|
||||
*/
|
||||
function file_get_file_references($file, $field = NULL, $age = FIELD_LOAD_REVISION, $field_type = 'file') {
|
||||
function file_get_file_references($file, $field = NULL, $age = FIELD_LOAD_REVISION, $field_type = 'file', $check_access = TRUE) {
|
||||
$references = drupal_static(__FUNCTION__, array());
|
||||
$fields = isset($field) ? array($field['field_name'] => $field) : field_info_fields();
|
||||
|
||||
@@ -1082,6 +1089,11 @@ function file_get_file_references($file, $field = NULL, $age = FIELD_LOAD_REVISI
|
||||
$query
|
||||
->fieldCondition($file_field, 'fid', $file->fid)
|
||||
->age($age);
|
||||
if (!$check_access) {
|
||||
// Neutralize the 'entity_field_access' query tag added by
|
||||
// field_sql_storage_field_storage_query().
|
||||
$query->addTag('DANGEROUS_ACCESS_CHECK_OPT_OUT');
|
||||
}
|
||||
$references[$field_name] = $query->execute();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1626,6 +1626,79 @@ class FilePrivateTestCase extends FileFieldTestCase {
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(403, 'Confirmed that another anonymous user cannot access the permanent file when it is referenced by an unpublished node.');
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests file access for private nodes when file download access is granted.
|
||||
*/
|
||||
function testPrivateFileDownloadAccessGranted() {
|
||||
// Tell file_module_test to attempt to grant access to all private files,
|
||||
// and ensure that it is doing so correctly.
|
||||
$test_file = $this->getTestFile('text');
|
||||
$uri = file_unmanaged_move($test_file->uri, 'private://');
|
||||
$file_url = file_create_url($uri);
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(403, 'Access is not granted to an arbitrary private file by default.');
|
||||
variable_set('file_module_test_grant_download_access', TRUE);
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(200, 'Access is granted to an arbitrary private file after a module grants access to all private files in hook_file_download().');
|
||||
|
||||
// Create a public node with a file attached.
|
||||
$type_name = 'page';
|
||||
$field_name = strtolower($this->randomName());
|
||||
$this->createFileField($field_name, $type_name, array('uri_scheme' => 'private'));
|
||||
$test_file = $this->getTestFile('text');
|
||||
$nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, array('private' => FALSE));
|
||||
$node = node_load($nid, NULL, TRUE);
|
||||
$file_url = file_create_url($node->{$field_name}[LANGUAGE_NONE][0]['uri']);
|
||||
|
||||
// Unpublish the node and ensure that only administrators (not anonymous
|
||||
// users) can access the node and download the file; the expectation is
|
||||
// that the File module's hook_file_download() implementation will deny
|
||||
// access and thereby override the file_module_test module's access grant.
|
||||
$node->status = NODE_NOT_PUBLISHED;
|
||||
node_save($node);
|
||||
$this->drupalLogin($this->admin_user);
|
||||
$this->drupalGet("node/$nid");
|
||||
$this->assertResponse(200, 'Administrator can access the unpublished node.');
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(200, 'Administrator can download the file attached to the unpublished node.');
|
||||
$this->drupalLogOut();
|
||||
$this->drupalGet("node/$nid");
|
||||
$this->assertResponse(403, 'Anonymous user cannot access the unpublished node.');
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(403, 'Anonymous user cannot download the file attached to the unpublished node.');
|
||||
|
||||
// Re-publish the node and ensure that the node and file can be accessed by
|
||||
// everyone.
|
||||
$node->status = NODE_PUBLISHED;
|
||||
node_save($node);
|
||||
$this->drupalLogin($this->admin_user);
|
||||
$this->drupalGet("node/$nid");
|
||||
$this->assertResponse(200, 'Administrator can access the published node.');
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(200, 'Administrator can download the file attached to the published node.');
|
||||
$this->drupalLogOut();
|
||||
$this->drupalGet("node/$nid");
|
||||
$this->assertResponse(200, 'Anonymous user can access the published node.');
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(200, 'Anonymous user can download the file attached to the published node.');
|
||||
|
||||
// Make the node private via the node access system and test that only
|
||||
// administrators (not anonymous users) can access the node and download
|
||||
// the file.
|
||||
$node->private = TRUE;
|
||||
node_save($node);
|
||||
$this->drupalLogin($this->admin_user);
|
||||
$this->drupalGet("node/$nid");
|
||||
$this->assertResponse(200, 'Administrator can access the private node.');
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(200, 'Administrator can download the file attached to the private node.');
|
||||
$this->drupalLogOut();
|
||||
$this->drupalGet("node/$nid");
|
||||
$this->assertResponse(403, 'Anonymous user cannot access the private node.');
|
||||
$this->drupalGet($file_url);
|
||||
$this->assertResponse(403, 'Anonymous user cannot download the file attached to the private node.');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -5,8 +5,8 @@ version = VERSION
|
||||
core = 7.x
|
||||
hidden = TRUE
|
||||
|
||||
; Information added by Drupal.org packaging script on 2017-06-21
|
||||
version = "7.56"
|
||||
; Information added by Drupal.org packaging script on 2018-03-28
|
||||
version = "7.58"
|
||||
project = "drupal"
|
||||
datestamp = "1498069849"
|
||||
datestamp = "1522264019"
|
||||
|
||||
|
||||
@@ -67,3 +67,18 @@ function file_module_test_form_submit($form, &$form_state) {
|
||||
}
|
||||
drupal_set_message(t('The file id is %fid.', array('%fid' => $fid)));
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements hook_file_download().
|
||||
*/
|
||||
function file_module_test_file_download($uri) {
|
||||
if (variable_get('file_module_test_grant_download_access')) {
|
||||
// Mimic what file_get_content_headers() would do if we had a full $file
|
||||
// object to pass to it.
|
||||
return array(
|
||||
'Content-Type' => mime_header_encode(file_get_mimetype($uri)),
|
||||
'Content-Length' => filesize($uri),
|
||||
'Cache-Control' => 'private',
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user