Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
User with permissions to edit an image file field is not allowed to use autocomplete reference. As far I can see, custom FieldAccessCheck checks for edit field_config entity access, which is an admin level access:
public function access($entity_type, $bundle_name, $field_name, AccountInterface $account) {
$field = entity_load('field_config', $entity_type . '.' . $bundle_name . '.' . $field_name);
return $field->access('edit', $account, TRUE);
}
For non-admin users, it returns neutral when allowed is needed to allow access.
Comments
Comment #2
urodriguezpomba CreditAttribution: urodriguezpomba commentedHi, I confirm this issue. Can anyone help with this? No other user than admin can reference a file.
Thanks for anyone can help.
Comment #3
euk CreditAttribution: euk commentedHi!
I confirm the issue too.
Looking at the code - why would file reference be tied to field edit permissions??
Checking the core's entity reference route - it has _access = 'TRUE', which if applied to the issue at hands - solves the issue.
I wonder what would be the concerns regarding this?
Patch attached...
Comment #4
gnugetI spent one hour today reading the code to know why this check is done.
Basically this is a problem introduced in the port from D7.
In D7 we have:
and the code of
_filefield_sources_field_access
is:Which seems to be similar to what the code is doing in D8 but... nop, I checked the
field_access
function and I found this:So what the
field_access
function do is check if the user has permissions to edit the VALUE of the field in an specific entity (node), not if the user has permissions to edit the CONFIGURATION of the field. 🙂So, great work euk, thank you for pointing me in the right direction.
So... I would say that we need to fix that check and add code to make sure that the user has permissions to edit the value of the field.
Comment #5
gnugetOk, I think the entity should be passed to
Drupal\filefield_sources\Access\FieldAccessCheck\access
and useEntityAccessControlHandlerInterface::fieldAccess
to evaluate if the user has permission.I will try to work on this on the weekend but if someone else wants to take a stab at it is more than welcome :-)
Comment #6
euk CreditAttribution: euk commentedI have it on my plate, so could check the solution today.
If no patch by the end of the day - then it is your turn =)
Comment #7
euk CreditAttribution: euk commentedComment #8
euk CreditAttribution: euk commentedDid a bit of coding, and this is the patch I came up with.
My immediate issue is that no user other than an admin can reference a file. This patch solves it with the help of
EntityAccessControlHandlerInterface::fieldAccess
as suggested above by #2840934-5: Autocomplete reference search access denied by @gnuget.However, I have no idea of possible use cases where the field might have restrictions, and thus how to test it thoroughly.
This needs peer review.
Comment #9
euk CreditAttribution: euk commentedSame patch but for @alpha4 version
Comment #10
gnugetI worked on this today, basically, if the user hasn't permission to edit the value of a specific field then it shouldn't be allowed to user the route that return the results of the autocomplete either.
So, if no permission is granted for the field then
https://test.com/file/reference/node/article/field_test?q=test
should return forbidden.I used this code in a custom module to test that behavior:
I made a few changes to #8, basically I injected the service instead to use the global namespace, I did this so I can write a small test to make sure that the access check only pass if the user is allowed to edit the field.
Patch attached.
Thanks!
Comment #12
gnugetThanks for all the help with this one :-)
I just pushed the changes.
David.