#956618 by Berdir | xsonic: Fixed private files access check.
authorSascha Grossenbacher
Sat, 27 Nov 2010 15:12:38 +0000 (15:12 +0000)
committerSascha Grossenbacher
Sat, 27 Nov 2010 15:12:38 +0000 (15:12 +0000)
privatemsg_attachments/privatemsg_attachments.module
privatemsg_attachments/privatemsg_attachments.test

index d08b392..427a2f9 100644 (file)
@@ -400,10 +400,12 @@ function phptemplate_privatemsg_list_field__attachment($thread) {
  * Implements hook_file_download().
  */
 function privatemsg_attachments_file_download($filepath) {
+  global $user;
   $filepath = file_create_path($filepath);
   $result = db_query("SELECT f.*, pma.mid FROM {files} f INNER JOIN {pm_attachments} pma ON f.fid = pma.fid WHERE filepath = '%s'", $filepath);
   if ($file = db_fetch_object($result)) {
-    if (user_access('view private message attachments') && privatemsg_message_load($file->mid)) {
+    // Try to load the message, pass user object to check recipient status.
+    if (user_access('view private message attachments') && privatemsg_message_load($file->mid, $user)) {
       return array(
         'Content-Type: ' . $file->filemime,
         'Content-Length: ' . $file->filesize,
index 5efda75..e35e2bc 100644 (file)
@@ -26,6 +26,14 @@ class PrivatemsgAttachmentsTestCase extends DrupalWebTestCase {
   function testPrivateDownloads() {
     variable_set('file_downloads', FILE_DOWNLOADS_PRIVATE);
     $this->testPublicDownloads();
+
+    // Make sure that other users can't view the private file.
+    $file_url = $this->getUrl();
+    $other_user = $this->drupalCreateUser(array('read privatemsg', 'view private message attachments'));
+    $this->drupalLogin($other_user);
+
+    $this->drupalGet($file_url);
+    $this->assertResponse(403, t('Access to private attachment denied for other user.'));
   }
 
   /**