You are here

function file_file_download in Zircon Profile 8

Same name and namespace in other branches
  1. 8.0 core/modules/file/file.module \file_file_download()

Implements hook_file_download().

File

core/modules/file/file.module, line 572
Defines a "managed_file" Form API field and a "file" field for Field module.

Code

function file_file_download($uri) {

  // Get the file record based on the URI. If not in the database just return.

  /** @var \Drupal\file\FileInterface[] $files */
  $files = entity_load_multiple_by_properties('file', array(
    'uri' => $uri,
  ));
  if (count($files)) {
    foreach ($files as $item) {

      // Since some database servers sometimes use a case-insensitive comparison
      // by default, double check that the filename is an exact match.
      if ($item
        ->getFileUri() === $uri) {
        $file = $item;
        break;
      }
    }
  }
  if (!isset($file)) {
    return;
  }

  // Find out if a temporary file is still used in the system.
  if ($file
    ->isTemporary()) {
    $usage = \Drupal::service('file.usage')
      ->listUsage($file);
    if (empty($usage) && $file
      ->getOwnerId() != \Drupal::currentUser()
      ->id()) {

      // Deny access to temporary files without usage that are not owned by the
      // same user. This prevents the security issue that a private file that
      // was protected by field permissions becomes available after its usage
      // was removed and before it is actually deleted from the file system.
      // Modules that depend on this behavior should make the file permanent
      // instead.
      return -1;
    }
  }

  // Find out which (if any) fields of this type contain the file.
  $references = file_get_file_references($file, NULL, EntityStorageInterface::FIELD_LOAD_CURRENT, NULL);

  // Stop processing if there are no references in order to avoid returning
  // headers for files controlled by other modules. Make an exception for
  // temporary files where the host entity has not yet been saved (for example,
  // an image preview on a node/add form) in which case, allow download by the
  // file's owner.
  if (empty($references) && ($file
    ->isPermanent() || $file
    ->getOwnerId() != \Drupal::currentUser()
    ->id())) {
    return;
  }
  if (!$file
    ->access('download')) {
    return -1;
  }

  // Access is granted.
  $headers = file_get_content_headers($file);
  return $headers;
}