rather important fix to only allow access if users can see the node.

2009-07-24 19:31:14 +00:00 · 2009-07-24 19:31:14 +00:00 · 918a637341
commit 918a637341
parent d75e2d9d45
2 changed files with 15 additions and 2 deletions
--- a/www/drupal6/filefield/Makefile
+++ b/www/drupal6/filefield/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.1.1.1 2009/07/17 10:00:30 espie Exp $
+# $OpenBSD: Makefile,v 1.2 2009/07/24 19:31:14 espie Exp $

 COMMENT =	file cck field

 DISTNAME = 	filefield-6.x-3.1
-PKGNAME =	drupal6-filefield-3.1
+PKGNAME =	drupal6-filefield-3.1p0

 RUN_DEPENDS =	::www/drupal6/cck

--- a/www/drupal6/filefield/patches/patch-filefield_module
+++ b/www/drupal6/filefield/patches/patch-filefield_module
@ -0,0 +1,13 @@
+$OpenBSD: patch-filefield_module,v 1.1 2009/07/24 19:31:14 espie Exp $
+--- filefield.module.orig	Fri Jul  3 22:53:07 2009
+++ filefield.module	Fri Jul 24 21:15:41 2009
+@@ -180,7 +180,8 @@ function filefield_file_download($file) {
+       if (isset($nodes[$content['nid']])) {
+         continue; // Don't check the same node twice.
+       }
+-      if ($denied == FALSE && $node = node_load($content['nid']) && node_access('view', $node)) {
+      $node = node_load($content['nid']);
+      if ($denied == FALSE && node_access('view', $node) == FALSE) {
+         // You don't have permission to view the node this file is attached to.
+         $denied = TRUE;
+       }