Drupal 8 - Custom file access/download permissions per user role

This is a support request I think, but leaving as a bug report for now.

If files are referenced by an entity that an authenticated user has access to, then they'll be accessible to authenticated users. Can you confirm whether you're uploading the files via core's file field or via some other method?

Using Module Field Permissions, Site administrators able to set field-level permissions to edit, view and create fields on any entity according to the specific roles.

Using this module we can set the permission of download file for authenticated or anonymous users.

I have similar problem and I solve it like this:

I created custom module which ads cookie (user_cookie_save()) based on user role on log in (hook_user_login()) and delete it on log out (hook_user_logout()). I created "private" folder with .htaccess that allow access based on this cookie value.
This means that private files must be in this folder - separated form other files.

In my case I have only 2 options for users (can see, can not see file) but if you have multilevel permissions this solution probably won't work.
I know that this is not super secure technique, but in my case it is enough to stop bots and regular user to access this files.

If you are interested, I can share my code.

Does hook_file_download not work for the use case in the original post?

I did not successfully find a solution to use hook_file_download if someone has the direct file URL - it seems that Drupal is not included in file rendering process at all.

From Drupal Docs (hook_file_download)
"This hook allows modules to enforce permissions on file downloads whenever Drupal is handling file download, as opposed to the web server bypassing Drupal and returning the file from a public directory."

So how can we force Drupal to handle file display/download if user has direct URL?

Do you mean URLs to the public file system?

Yes, for example: "www.example.com/sites/default/files/2017-11/example.pdf"

@zanvidmar I see. The subject of this issue is the private file system. The public system is, well... public. I suggest opening a forums thread to discuss.

Did you check out the content access module (https://www.drupal.org/project/content_access)?

I use it for content types with private file fields, an depending on the permission I set for the content type (or even a specific node) anonymous users can either see the node (and the attached file!) or not.

If not, they get an "access denied" error for both the node and the file by drupal.

Try this:

use Drupal\Core\Access\AccessResult;

function hook_entity_access(\Drupal\Core\Entity\EntityInterface $entity, $operation, \Drupal\Core\Session\AccountInterface $account) {
  return AccessResult::allowed();
}

@alx_benjamin

I search to create a custom access to the files of the site (depending by roles). Your code is an interesting base code for entity access.
In your opinion can I use this code for the files?

Thanks for your help.

Thanks @alx_benjamin #17 worked.
#18 @kumkum29, yes you can use it with files. $entity->bundle() == 'file'

It looks like there is an answer.