To reproduce:

  • start creating a new Article
  • upload an image (but dont save the node)
  • hit preview link and get "access denied"
CommentFileSizeAuthor
#2 preview_page_return-2790809-2.patch5.01 KBbleen

Comments

bleen created an issue. See original summary.

bleen’s picture

bleen commented
Status: Active » Needs review
StatusFileSize
new preview_page_return-2790809-2.patch5.01 KB

This patch solves the issue by adding a token to the preview link ... hopefully I can get a hold of someone who knows security a little better than I do to verify that this is a good solution, but based on my research it seems like a good fix ...

bleen’s picture

bleen commented
Status: Needs review » Reviewed & tested by the community

I discussed this strategy today with @coltrane and he agreed that this was a sound strategy. He did point out that I needed to test what happens if no token is provided at all. I did that, and no exception is thrown in that case; instead the alternative logic of checking if a user has access to edit an entity that references the image in question.

With that, I'm going to mark this as RTBC

  • bleen committed 5f122a9 on 8.x-1.x 
    Issue #2790809 by bleen: Preview page return "Access Denied" when...
bleen’s picture

bleen commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.