You are here

Home » API reference » Webform 7.4 » webform.module

function webform_file_download in Webform 7.4

Same name and namespace in other branches
  1. 8.5 webform.module \webform_file_download()
  2. 5.2 webform.module \webform_file_download()
  3. 5 webform.module \webform_file_download()
  4. 6.3 webform.module \webform_file_download()
  5. 6.2 webform.module \webform_file_download()
  6. 7.3 webform.module \webform_file_download()
  7. 6.x webform.module \webform_file_download()

Implements hook_file_download().

Only allow users with view webform submissions to download files.

File

./webform.module, line 1443
This module provides a simple way to create forms and questionnaires.

Code

function webform_file_download($uri) {
  module_load_include('inc', 'webform', 'includes/webform.submissions');

  // Determine whether this file was a webform upload.
  $row = db_query("SELECT fu.id as sid, f.fid FROM {file_managed} f LEFT JOIN {file_usage} fu ON f.fid = fu.fid AND fu.module = :webform AND fu.type = :submission WHERE f.uri = :uri", array(
    'uri' => $uri,
    ':webform' => 'webform',
    ':submission' => 'submission',
  ))
    ->fetchObject();
  if ($row) {
    $file = file_load($row->fid);
  }
  if (!empty($row->sid)) {
    $submissions = webform_get_submissions(array(
      'sid' => $row->sid,
    ));
    $submission = reset($submissions);
  }

  // Grant or deny file access based on access to the submission.
  if (!empty($submission)) {
    $node = node_load($submission->nid);
    if (webform_submission_access($node, $submission)) {
      return file_get_content_headers($file);
    }
    else {
      return -1;
    }
  }
  elseif (!empty($file) && !empty($_SESSION['webform_files'][$file->fid])) {
    return file_get_content_headers($file);
  }

  // Ensure we never completely ignore a webform file request.
  if (strpos(file_uri_target($uri), 'webform/') === 0) {

    // The file is not part of a submission or a submission-in-progress (by
    // the current user), however it may be part of a submission-in-progress
    // (or an abandoned submission) by another user. We assume that all files
    // under our enforced directory prefix are in fact webform files, and so
    // we deny access to the file. Abandoned uploads will be deleted by
    // system_cron() in due course.
    return -1;
  }
}