The path /file/progress/{key} is always available even for anonymous users. So if you navigate to /file/progress/test route you will end up with the following weird message.

{"message":"Starting upload...","percentage":-1}

I propose the route should return 403 or 404 when progress is not available for a given upload process.

Issue fork drupal-3445399

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

Chi created an issue. See original summary.

kim.pepper made their first commit to this issue’s fork.

kim.pepper opened merge request !8036

kim.pepper’s picture

kim.pepper
Primary language English
Location 🏄‍♂️🇦🇺Sydney, Australia
commented
Status: Active » Needs review

I think it's feasible that anonymous users would be able to see file upload progress, so I don't think it's an access thing. But I do agree we should check if the extension is enabled.

Created a MR.

chi’s picture

chi commented

@kim.pepper

Even if the extension is enabled the message `{"message":"Starting upload...","percentage":-1}` will still appear when no upload process is available.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work
Issue tags: +Needs issue summary update

Can the issue summary be updated to match the standard template?

See there is a test failure so maybe updating that will be enough coverage for the change being made.

quietone’s picture

quietone commented
Version: 11.0.x-dev » 11.x-dev

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.