Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.For both file fields and image fields, the 'Maximum upload size' is ignored.
It's easy to replicate:
- In a content type create a file and/or image field and set the 'Maximum upload size' to a really small value like "512" (512 bytes) or "4 KB" (4 kilobytes).
- Create a node and notice that the descriptions do say 'Files must be less than 512 bytes' and 'Files must be less than 4 KB'. Select a file/image that is larger than that.
- Now press the upload button on the field or simply save the node. No warnings or errors are displayed and the files are successfully uploaded.
The expected behavior is that an error is displayed that the files are too large, and that the upload is unsuccessful.
Remark: this is not related to #1218256: MAXIMUM UPLOAD SIZE not working! which was related to php.ini.
Comments
Comment #1
wmostrey CreditAttribution: wmostrey commentedIt's only ignored for uid 1 but this is not documented for the end user. Should uid 1 be allowed to do this, even though all other $validators are respected? If so, feel free to close this issue.
Comment #2
wmostrey CreditAttribution: wmostrey commentedI attached the patches to remove the bypass in Drupal 7 and Drupal 8. There is no reason to bypass the maximum upload size restriction for uid 1, while enforcing all other restrictions like maximum image dimension for example.
Comment #3
Bojhan CreditAttribution: Bojhan commentedI see no reason why we should change this in D7. This is a feature, that its not documented is a bug on its own - removing it is a feature request.
All that a side, yes - I think we should remove as many special casing for UID1 as ppossible
Comment #5
wmostrey CreditAttribution: wmostrey commentedRemoving the associated test and leaving Drupal 7 as it is for now.
Comment #6
droplet CreditAttribution: droplet commentedComment #7
chx CreditAttribution: chx commentedThat was a very short reasoning (ie nothing at all) for an RTBC of a possibly feature. uid 1 is supposed to be god-like so why the restriction?
Comment #8
wmostrey CreditAttribution: wmostrey commentedIf uid 1 is supposed to be god-like then this should turn into a patch that also removes the image dimension restriction for example. I see no good reason to only bypass this one restriction.
Comment #9
droplet CreditAttribution: droplet commentedUID 1 able to config the site to allow ownself to upload larger files. I don't see any reason of bypass this one
Comment #10
wmostrey CreditAttribution: wmostrey commentedRe-rolled the patch.
Comment #11
Dave ReidCorrect. I've encountered several people filing bug reports because their user was allowed to upload larger files then they thought they should (either more than the limit set in the field instance settings or the PHP max upload size), because they were user 1.
Comment #12
Dave ReidComment #13
catch#10: upload_restrictions_for_uid1_drupal8-1223194.patch queued for re-testing.
Comment #15
wmostrey CreditAttribution: wmostrey commentedComment #16
danlinn CreditAttribution: danlinn commented#15: remove_max_upload_size_uid_1-1223194-15.patch queued for re-testing.
Comment #18
marthinal CreditAttribution: marthinal commentedAlready fixed at #1468210: Remove special $user->uid == 1 check in file_validate_size() .
Comment #19
Dave ReidMarking as duplicate of #1468210: Remove special $user->uid == 1 check in file_validate_size()
Comment #20
Gábor HojtsyFix media tag.