summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--privatemsg_attachments/privatemsg_attachments.module4
-rw-r--r--privatemsg_attachments/privatemsg_attachments.test8
2 files changed, 11 insertions, 1 deletions
diff --git a/privatemsg_attachments/privatemsg_attachments.module b/privatemsg_attachments/privatemsg_attachments.module
index d08b392..427a2f9 100644
--- a/privatemsg_attachments/privatemsg_attachments.module
+++ b/privatemsg_attachments/privatemsg_attachments.module
@@ -400,10 +400,12 @@ function phptemplate_privatemsg_list_field__attachment($thread) {
* Implements hook_file_download().
*/
function privatemsg_attachments_file_download($filepath) {
+ global $user;
$filepath = file_create_path($filepath);
$result = db_query("SELECT f.*, pma.mid FROM {files} f INNER JOIN {pm_attachments} pma ON f.fid = pma.fid WHERE filepath = '%s'", $filepath);
if ($file = db_fetch_object($result)) {
- if (user_access('view private message attachments') && privatemsg_message_load($file->mid)) {
+ // Try to load the message, pass user object to check recipient status.
+ if (user_access('view private message attachments') && privatemsg_message_load($file->mid, $user)) {
return array(
'Content-Type: ' . $file->filemime,
'Content-Length: ' . $file->filesize,
diff --git a/privatemsg_attachments/privatemsg_attachments.test b/privatemsg_attachments/privatemsg_attachments.test
index 5efda75..e35e2bc 100644
--- a/privatemsg_attachments/privatemsg_attachments.test
+++ b/privatemsg_attachments/privatemsg_attachments.test
@@ -26,6 +26,14 @@ class PrivatemsgAttachmentsTestCase extends DrupalWebTestCase {
function testPrivateDownloads() {
variable_set('file_downloads', FILE_DOWNLOADS_PRIVATE);
$this->testPublicDownloads();
+
+ // Make sure that other users can't view the private file.
+ $file_url = $this->getUrl();
+ $other_user = $this->drupalCreateUser(array('read privatemsg', 'view private message attachments'));
+ $this->drupalLogin($other_user);
+
+ $this->drupalGet($file_url);
+ $this->assertResponse(403, t('Access to private attachment denied for other user.'));
}
/**