1 file.module file_access($op, $file = NULL, $account = NULL)

Determines if a user may perform the given operation on the specified file.


$op: The operation to be performed on the file. Possible values are:

  • "view"
  • "download"
  • "update"
  • "delete"
  • "create"

$file: The file object on which the operation is to be performed, or file type (e.g. 'image') for "create" operation.

$account: Optional, a user object representing the user for whom the operation is to be performed. Determines access for a user other than the current user.

Return value

TRUE if the operation may be performed, FALSE otherwise.:

Related topics


core/modules/file/file.module, line 2809
Defines a "managed_file" Form API field and a "file" field for Field module.


function file_access($op, $file = NULL, $account = NULL) {
  $rights = &backdrop_static(__FUNCTION__, array());

  if (!$file && !in_array($op, array('view', 'download', 'update', 'delete', 'create'), TRUE)) {
    // If there was no file to check against, and the $op was not one of the
    // supported ones, we return access denied.
    return FALSE;

  // If no user object is supplied, the access check is for the current user.
  if (empty($account)) {
    $account = $GLOBALS['user'];

  // $file may be either an object or a file type. Since file types cannot be
  // an integer, use either fid or type as the static cache id.
  $cache_id = NULL;
  if (!empty($file->id)) {
    $cache_id = $file->id;
  elseif (is_string($file) && $op == 'create') {
    $cache_id = $file;
  else {
    $cache_id = backdrop_hash_base64(serialize($file));

  // If we've already checked access for this file, user and op, return from
  // cache.
  if (isset($rights[$account->uid][$cache_id][$op])) {
    return $rights[$account->uid][$cache_id][$op];

  if (user_access('bypass file access', $account)) {
    return $rights[$account->uid][$cache_id][$op] = TRUE;

  // We grant access to the file if both of the following conditions are met:
  // - No modules say to deny access.
  // - At least one module says to grant access.
  $access = module_invoke_all('file_access', $op, $file, $account);
  if (in_array(FILE_ACCESS_DENY, $access, TRUE)) {
    return $rights[$account->uid][$cache_id][$op] = FALSE;
  elseif (in_array(FILE_ACCESS_ALLOW, $access, TRUE)) {
    return $rights[$account->uid][$cache_id][$op] = TRUE;

  // Fall back to default behaviors on view.
  if ($op == 'view' && is_object($file)) {
    $scheme = file_uri_scheme($file->uri);
    $wrapper = file_get_stream_wrapper($scheme);

    if (!empty($wrapper['private'])) {
      // For private files, users can view private files if the
      // user has the 'view private files' permission.
      if (user_access('view private files', $account)) {
        return $rights[$account->uid][$cache_id][$op] = TRUE;

      // For private files, users can view their own private files if the
      // user is not anonymous, and has the 'view own private files' permission.
      if (!empty($account->uid) && $file->uid == $account->uid && user_access('view own private files', $account)) {
        return $rights[$account->uid][$cache_id][$op] = TRUE;
    elseif ($file->status == FILE_STATUS_PERMANENT && $file->uid == $account->uid && user_access('view own files', $account)) {
      // For non-private files, allow to see if user owns the file.
      return $rights[$account->uid][$cache_id][$op] = TRUE;
    elseif ($file->status == FILE_STATUS_PERMANENT && user_access('view files', $account)) {
      // For non-private files, users can view if they have the 'view files'
      // permission.
      return $rights[$account->uid][$cache_id][$op] = TRUE;

  return FALSE;