Autocomplete reference search access denied

Hi, I confirm this issue. Can anyone help with this? No other user than admin can reference a file.

Thanks for anyone can help.

Hi!
I confirm the issue too.

Looking at the code - why would file reference be tied to field edit permissions??

Checking the core's entity reference route - it has _access = 'TRUE', which if applied to the issue at hands - solves the issue.
I wonder what would be the concerns regarding this?

Patch attached...

I spent one hour today reading the code to know why this check is done.

Basically this is a problem introduced in the port from D7.

In D7 we have:

/**
 * Implements hook_menu().
 */
function filefield_source_reference_menu() {
  $items = array();

  $items['file/reference/%/%/%'] = array(
    'page callback' => 'filefield_source_reference_autocomplete',
    'page arguments' => array(2, 3, 4),
    'access callback' => '_filefield_sources_field_access',
    'access arguments' => array(2, 3, 4),
    'file' => 'sources/reference.inc',
    'type' => MENU_CALLBACK,
  );
  return $items;
}

and the code of _filefield_sources_field_access is:

/**
  * Menu access callback; Checks user access to edit a file field.
  */
function _filefield_sources_field_access($entity_type, $bundle_name, $field_name) {
  $field = field_info_field($field_name);
  return field_access('edit', $field, $entity_type);
}

Which seems to be similar to what the code is doing in D8 but... nop, I checked the field_access function and I found this:

/**
* Determine whether the user has access to a given field.
*
* This function does not determine whether access is granted to the entity
* itself, only the specific field. Callers are responsible for ensuring that
* entity access is also respected. For example, when checking field access for
* nodes, check node_access() before checking field_access(), and when checking
* field access for entities using the Entity API contributed module,
* check entity_access() before checking field_access().

So what the field_access function do is check if the user has permissions to edit the VALUE of the field in an specific entity (node), not if the user has permissions to edit the CONFIGURATION of the field. 🙂

So, great work euk, thank you for pointing me in the right direction.

So... I would say that we need to fix that check and add code to make sure that the user has permissions to edit the value of the field.

Ok, I think the entity should be passed to Drupal\filefield_sources\Access\FieldAccessCheck\access and use EntityAccessControlHandlerInterface::fieldAccess to evaluate if the user has permission.

I will try to work on this on the weekend but if someone else wants to take a stab at it is more than welcome :-)

I have it on my plate, so could check the solution today.
If no patch by the end of the day - then it is your turn =)

Did a bit of coding, and this is the patch I came up with.

My immediate issue is that no user other than an admin can reference a file. This patch solves it with the help of EntityAccessControlHandlerInterface::fieldAccess as suggested above by #2840934-5: Autocomplete reference search access denied by @gnuget.

However, I have no idea of possible use cases where the field might have restrictions, and thus how to test it thoroughly.

This needs peer review.

Same patch but for @alpha4 version

I worked on this today, basically, if the user hasn't permission to edit the value of a specific field then it shouldn't be allowed to user the route that return the results of the autocomplete either.

So, if no permission is granted for the field then https://test.com/file/reference/node/article/field_test?q=test should return forbidden.

I used this code in a custom module to test that behavior:

/**
 * Implements hook_entity_field_access().
 */
function test_entity_field_access(
  $operation,
  \Drupal\Core\Field\FieldDefinitionInterface $field_definition,
  \Drupal\Core\Session\AccountInterface $account,
  \Drupal\Core\Field\FieldItemListInterface $items = null
) {
  if ($operation == 'edit' && $field_definition->getName() == 'field_test') {
    return \Drupal\Core\Access\AccessResult::forbidden('error');
  }
  return \Drupal\Core\Access\AccessResult::neutral();
}

I made a few changes to #8, basically I injected the service instead to use the global namespace, I did this so I can write a small test to make sure that the access check only pass if the user is allowed to edit the field.

Patch attached.

Thanks!

Thanks for all the help with this one :-)

I just pushed the changes.

David.