Project

General

Profile

Revision b0dc3a2e

Added by Julien Enselme over 7 years ago

Update to Drupal 7.52

View differences:

drupal7/modules/file/file.module
457 457
      '#markup' => theme('file_link', array('file' => $element['#file'])) . ' ',
458 458
      '#weight' => -10,
459 459
    );
460
    // Anonymous users who have uploaded a temporary file need a
461
    // non-session-based token added so file_managed_file_value() can check
462
    // that they have permission to use this file on subsequent submissions of
463
    // the same form (for example, after an Ajax upload or form validation
464
    // error).
465
    if (!$GLOBALS['user']->uid && $element['#file']->status != FILE_STATUS_PERMANENT) {
466
      $element['fid_token'] = array(
467
        '#type' => 'hidden',
468
        '#value' => drupal_hmac_base64('file-' . $fid, drupal_get_private_key() . drupal_get_hash_salt()),
469
      );
470
    }
460 471
  }
461 472

  
462 473
  // Add the extension list to the page as JavaScript settings.
......
533 544
          $force_default = TRUE;
534 545
        }
535 546
        // Temporary files that belong to other users should never be allowed.
536
        // Since file ownership can't be determined for anonymous users, they
537
        // are not allowed to reuse temporary files at all.
538
        elseif ($file->status != FILE_STATUS_PERMANENT && (!$GLOBALS['user']->uid || $file->uid != $GLOBALS['user']->uid)) {
539
          $force_default = TRUE;
547
        elseif ($file->status != FILE_STATUS_PERMANENT) {
548
          if ($GLOBALS['user']->uid && $file->uid != $GLOBALS['user']->uid) {
549
            $force_default = TRUE;
550
          }
551
          // Since file ownership can't be determined for anonymous users, they
552
          // are not allowed to reuse temporary files at all. But they do need
553
          // to be able to reuse their own files from earlier submissions of
554
          // the same form, so to allow that, check for the token added by
555
          // file_managed_file_process().
556
          elseif (!$GLOBALS['user']->uid) {
557
            $token = drupal_array_get_nested_value($form_state['input'], array_merge($element['#parents'], array('fid_token')));
558
            if ($token !== drupal_hmac_base64('file-' . $file->fid, drupal_get_private_key() . drupal_get_hash_salt())) {
559
              $force_default = TRUE;
560
            }
561
          }
540 562
        }
541 563
        // If all checks pass, allow the file to be changed.
542
        else {
564
        if (!$force_default) {
543 565
          $fid = $file->fid;
544 566
        }
545 567
      }

Also available in: Unified diff