function file_file_download

Implements hook_file_download().

File

core/modules/file/file.module, line 120

Code

function file_file_download($uri) {
    // Get the file record based on the URI. If not in the database just return.
    
    /** @var \Drupal\file\FileRepositoryInterface $file_repository */
    $file_repository = \Drupal::service('file.repository');
    $file = $file_repository->loadByUri($uri);
    if (!$file) {
        return;
    }
    // Find out if a temporary file is still used in the system.
    if ($file->isTemporary()) {
        $usage = \Drupal::service('file.usage')->listUsage($file);
        if (empty($usage) && $file->getOwnerId() != \Drupal::currentUser()->id()) {
            // Deny access to temporary files without usage that are not owned by the
            // same user. This prevents the security issue that a private file that
            // was protected by field permissions becomes available after its usage
            // was removed and before it is actually deleted from the file system.
            // Modules that depend on this behavior should make the file permanent
            // instead.
            return -1;
        }
    }
    // Find out which (if any) fields of this type contain the file.
    $references = file_get_file_references($file, NULL, EntityStorageInterface::FIELD_LOAD_CURRENT, NULL);
    // Stop processing if there are no references in order to avoid returning
    // headers for files controlled by other modules. Make an exception for
    // temporary files where the host entity has not yet been saved (for example,
    // an image preview on a node/add form) in which case, allow download by the
    // file's owner.
    if (empty($references) && ($file->isPermanent() || $file->getOwnerId() != \Drupal::currentUser()->id())) {
        return;
    }
    if (!$file->access('download')) {
        return -1;
    }
    // Access is granted.
    $headers = file_get_content_headers($file);
    return $headers;
}