1.20.x file.module file_file_access($op, $file, $account)

Implements hook_file_access().

Related topics

File access rights The file access system determines who can do what to which files.

File

modules/file/file.module, line 2916
Defines a "managed_file" Form API field and a "file" field for Field module.

Code

function file_file_access($op, $file, $account) {
  // If the file URI is invalid, deny access.
  if (is_object($file) && isset($file->uri) && !file_valid_uri($file->uri)) {
    if (isset($file->is_new) && $file->is_new == true && user_access('create files', $account)) {
      return FILE_ACCESS_ALLOW;
    }
    return FILE_ACCESS_DENY;
  }

  if ($op == 'create') {
    if (user_access('create files', $account)) {
      return FILE_ACCESS_ALLOW;
    }
  }

  if (!empty($file)) {
    $type = is_string($file) ? $file : $file->type;

    if (in_array($type, file_permissions_get_configured_types())) {
      if ($op == 'download') {
        if (user_access('download any ' . $type . ' files', $account) || is_object($file) && user_access('download own ' . $type . ' files', $account) && ($account->uid == $file->uid)) {
          return FILE_ACCESS_ALLOW;
        }
      }

      if ($op == 'update') {
        if (user_access('manage files', $account) || user_access('edit any ' . $type . ' files', $account) || (is_object($file) && user_access('edit own ' . $type . ' files', $account) && ($account->uid == $file->uid))) {
          return FILE_ACCESS_ALLOW;
        }
      }

      if ($op == 'delete') {
        if (user_access('delete files', $account) || user_access('delete any ' . $type . ' files', $account) || (is_object($file) && user_access('delete own ' . $type . ' files', $account) && ($account->uid == $file->uid))) {
          return FILE_ACCESS_ALLOW;
        }
      }
    }
  }

  return FILE_ACCESS_IGNORE;
}