Merge pull request #412 from Srokap/filestore_loose_owner_control

Don't let owner visibility prevent access to otherwise visible files. (Grabbing owner guid instead of owner entity to build file matrix in getFilenameOnFilestore())

1 files changed, 5 insertions, 5 deletions

diff --git a/engine/classes/ElggDiskFilestore.php b/engine/classes/ElggDiskFilestore.php
index f00376481..7aace43ba 100644
--- a/engine/classes/ElggDiskFilestore.php
+++ b/engine/classes/ElggDiskFilestore.php
@@ -200,18 +200,18 @@ class ElggDiskFilestore extends ElggFilestore {
 	 * @return string The full path of where the file is stored
 	 */
 	public function getFilenameOnFilestore(ElggFile $file) {
-		$owner = $file->getOwnerEntity();
-		if (!$owner) {
-			$owner = elgg_get_logged_in_user_entity();
+		$owner_guid = $file->getOwnerGuid();
+		if (!$owner_guid) {
+			$owner_guid = elgg_get_logged_in_user_guid();
 		}
 
-		if (!$owner) {
+		if (!$owner_guid) {
 			$msg = elgg_echo('InvalidParameterException:MissingOwner',
 				array($file->getFilename(), $file->guid));
 			throw new InvalidParameterException($msg);
 		}
 
-		return $this->dir_root . $this->makefileMatrix($owner->guid) . $file->getFilename();
+		return $this->dir_root . $this->makefileMatrix($owner_guid) . $file->getFilename();
 	}
 
 	/**