Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By xjm on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
9.3.x
Introduced in version:
9.3.19
Description:
Some sites have the private files directory inside the public files directory (e.g. drupal/sites/files/private). Due to a file field misconfiguration or other issue, some such sites might be relying on unrestricted access being allowed to files inside the private directory, which should no longer be possible after SA-CORE-2022-012.
If parts of your file or image content become inaccessible after this release, add the following line to your site's settings.php:
$settings['sa_core_2022_012_override'] = TRUE;
This setting is a temporary backwards-compatibility layer for misconfigured sites and will be removed in a future release. In the long term, you should migrate your uploaded files to the correct public or private directories.
- Visit
/admin/reports/fields - Under the Field type column, look for fields labeled things like File (module: file) or Image (module: image).
- For each file or image field check its file upload directory, click the link to the entity under the Used in column.
- Select Field Settings from the dropdown in the row for the file or image field.
- Under Upload destination, review whether the field is intended to use public or private file uploads.
- Click on the Edit tab and look at the File directory field. If this content is supposed to be public, ensure the upload directory is not set with a path to a private files directory.
- If any file or image fields were misconfigured, migrate the content to the correct directories.
Impacts:
Site builders, administrators, editors
Module developers
Site templates, recipes and distribution developers
