Access denied to published private file if original translation is unpublished [#2887696]

Problem/Motivation

When trying to access a file that is referenced by a single entity, access is denied if that entity's original translation is unpublished, even if a published translation referencing the same file exists.

Steps to reproduce:

Use a multilingual site with content_translation
Create a translatable entity with a file/image field as unpublished
Create a published translation of the entity
Access the file as guest

Expected result:
File is displayed, because the translation is accessible.

Actual result:
The user receives a 403.

Proposed resolution

Check all translations of the referencing entity and grant file access if at least one translation is accessible. (Field access should still be checked.)

Remaining tasks

Write tests to reproduce the issue.

Comment	File	Size	Author
#12	2887696-12.patch	2.55 KB	ranjith_kumar_k_u
#12	9.4.x: PHP 8.1 & MySQL 5.7 29,784 pass 10.1.x: PHP 8.1 & MySQL 5.7 28,934 pass
#9	drupal-private_file_unpublished-2887696-9.patch	2.58 KB	herved
#9	8.9.x: PHP 7.3 & MySQL 5.7 28,638 pass 9.4.x: PHP 8.1 & MySQL 5.7 Patch Failed to Apply
#2	drupal-private_file_unpublished-2887696-2.patch	1.5 KB	ckaotik
#2	8.3.x: PHP 5.6 & MySQL 5.5 21,795 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

20 June 2017 at 11:11

ckaotik created an issue. See original summary.

Comment #2

ckaotik

German

Berlin

CreditAttribution: ckaotik at werk21 commented 20 June 2017 at 11:13

Assigned:	ckaotik	» Unassigned
Status:	Active	» Needs review

File	Size
drupal-private_file_unpublished-2887696-2.patch	1.5 KB
8.3.x: PHP 5.6 & MySQL 5.5 21,795 pass

Please review the attached patch.

Comment #3

20 June 2017 at 11:13

Version:

8.3.x-dev

» 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #4

20 June 2017 at 11:13

Version:

8.4.x-dev

» 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #5

20 June 2017 at 11:13

Version:

8.5.x-dev

» 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #6

20 June 2017 at 11:13

Version:

8.6.x-dev

» 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #7

Anybody

German

Porta Westfalica

CreditAttribution: Anybody at DROWL.de commented 20 April 2020 at 10:16

Comment #8

20 April 2020 at 10:16

Version:

8.8.x-dev

» 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #9

herved CreditAttribution: herved commented 26 April 2021 at 13:00

File	Size
drupal-private_file_unpublished-2887696-9.patch	2.58 KB
8.9.x: PHP 7.3 & MySQL 5.7 28,638 pass 9.4.x: PHP 8.1 & MySQL 5.7 Patch Failed to Apply

File

Size

drupal-private_file_unpublished-2887696-9.patch

2.58 KB

8.9.x:
PHP 7.3 & MySQL 5.7 28,638 pass

9.4.x:
PHP 8.1 & MySQL 5.7 Patch Failed to Apply

Since file fields can be marked as translatable, shouldn't we check if the referenced entity translation being tested actually contains the file we are checking access for?

Here is my setup:
- Create a content type and mark it as translatable
- Create a file field in that content type using private scheme and mark it as translatable
- Create a node (NodeOrig), with a file (FileOrig), publish and save
- Create a translation of that node (NodeTrans), with a different file (FileTrans), publish and save

Behavior with patch #2:
- When we unpublish NodeTrans: FileTrans and FileOrig are still both accessible
- When we unpublish NodeOrig: FileTrans and FileOrig are both inaccessible
- When we unpublish both: FileTrans and FileOrig are both inaccessible

Expected behavior (patch #9):
- When we unpublish NodeTrans: FileTrans should become inaccessible, but FileOrig should still be accessible
- When we unpublish NodeOrig: FileOrig should become inaccessible, but FileTrans should still be accessible
- When we unpublish both: FileTrans and FileOrig should both be inaccessible

And so maybe we could rename the issue summary and title (something like: "Take translations of referencing entities into account when checking private files access") ?

Comment #10

26 April 2021 at 13:00

Version:

8.9.x-dev

» 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #11

26 April 2021 at 13:00

Version:

9.2.x-dev

» 9.3.x-dev

Comment #12

ranjith_kumar_k_u CreditAttribution: ranjith_kumar_k_u at Zyxware Technologies commented 17 May 2022 at 11:08

File	Size
2887696-12.patch	2.55 KB
9.4.x: PHP 8.1 & MySQL 5.7 29,784 pass 10.1.x: PHP 8.1 & MySQL 5.7 28,934 pass

File

Size

2887696-12.patch

2.55 KB

9.4.x:
PHP 8.1 & MySQL 5.7 29,784 pass

10.1.x:
PHP 8.1 & MySQL 5.7 28,934 pass

Rerolled #9 for 9.4

Comment #13

17 May 2022 at 11:08

Version:

9.3.x-dev

» 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #14

17 May 2022 at 11:08

Version:

9.4.x-dev

» 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #15

Omega_yang CreditAttribution: Omega_yang as a volunteer commented 18 January 2023 at 07:16

Wow, this is good patch. But I found similar problem, when upload file to ckeidtor not image field. It also display similar problem.

Comment #16

smustgrave CreditAttribution: smustgrave at Mobomo commented 14 February 2023 at 16:37

Status:	Needs review	» Needs work
Issue tags:		+Needs Review Queue Initiative

For the tests.

Comment #17

14 February 2023 at 16:37

Version:

9.5.x-dev

» 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.