Problem/Motivation
When trying to access a file that is referenced by a single entity, access is denied if that entity's original translation is unpublished, even if a published translation referencing the same file exists.
Steps to reproduce:
- Use a multilingual site with
content_translation
- Create a translatable entity with a file/image field as unpublished
- Create a published translation of the entity
- Access the file as guest
Expected result:
File is displayed, because the translation is accessible.
Actual result:
The user receives a 403.
Proposed resolution
Check all translations of the referencing entity and grant file access if at least one translation is accessible. (Field access should still be checked.)
Remaining tasks
Write tests to reproduce the issue.
Comment | File | Size | Author |
---|---|---|---|
#12 | 2887696-12.patch | 2.55 KB | ranjith_kumar_k_u |
| |||
#9 | drupal-private_file_unpublished-2887696-9.patch | 2.58 KB | herved |
#2 | drupal-private_file_unpublished-2887696-2.patch | 1.5 KB | ckaotik |
Comments
Comment #2
ckaotikPlease review the attached patch.
Comment #7
AnybodyComment #9
herved CreditAttribution: herved commentedSince file fields can be marked as translatable, shouldn't we check if the referenced entity translation being tested actually contains the file we are checking access for?
Here is my setup:
- Create a content type and mark it as translatable
- Create a file field in that content type using private scheme and mark it as translatable
- Create a node (NodeOrig), with a file (FileOrig), publish and save
- Create a translation of that node (NodeTrans), with a
different
file (FileTrans), publish and saveBehavior with patch #2:
- When we unpublish NodeTrans: FileTrans and FileOrig are still both accessible
- When we unpublish NodeOrig: FileTrans and FileOrig are both inaccessible
- When we unpublish both: FileTrans and FileOrig are both inaccessible
Expected behavior (patch #9):
- When we unpublish NodeTrans: FileTrans should become inaccessible, but FileOrig should still be accessible
- When we unpublish NodeOrig: FileOrig should become inaccessible, but FileTrans should still be accessible
- When we unpublish both: FileTrans and FileOrig should both be inaccessible
And so maybe we could rename the issue summary and title (something like: "Take translations of referencing entities into account when checking private files access") ?
Comment #12
ranjith_kumar_k_u CreditAttribution: ranjith_kumar_k_u at Zyxware Technologies commentedRerolled #9 for 9.4
Comment #15
Omega_yang CreditAttribution: Omega_yang as a volunteer commentedWow, this is good patch. But I found similar problem, when upload file to ckeidtor not image field. It also display similar problem.
Comment #16
smustgrave CreditAttribution: smustgrave at Mobomo commentedFor the tests.