Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The code in FileAccessControlHandler::checkAccess() will return FALSE if a file is not uploaded by the current user, and does not have any public references. It seems like we should be bypassing this entirely if the file is using the public file system, in which case we should be returning TRUE no matter what.
Comment | File | Size | Author |
---|---|---|---|
#21 | interdiff.txt | 3.6 KB | Dave Reid |
#21 | 2533978-fix-public-file-view-download-access.patch | 3.84 KB | Dave Reid |
#19 | interdiff.txt | 442 bytes | thenchev |
#19 | core-entity_access-2533978-19.patch | 3.17 KB | thenchev |
Comments
Comment #1
Dave ReidComment #2
Dave ReidComment #3
thenchev CreditAttribution: thenchev at MD Systems GmbH commentedComment #5
thenchev CreditAttribution: thenchev at MD Systems GmbH commentedUpdated the comment and fixed the return value.
Comment #6
thenchev CreditAttribution: thenchev at MD Systems GmbH commentedAdded test.
Comment #7
BerdirCan you try to use FileManagedUnitTestBase?
coding style: missing space.
Test so far looks good.
But since tests should always also have negative cases, let's add a second file that uses private:// and make sure that users don't have access to that by default.
Comment #8
thenchev CreditAttribution: thenchev at MD Systems GmbH commentedLeft FileManagedTestBase because of the issue with private files. everything else is updated.
Comment #9
legolasboNit: extraneous whitespace
Nit: I think this should be if/elseif in stead of two if statements.
Let's put this on one line.
Also:
/s/different/authenticated
Also put this on one line
Ditto
Ditto
Missing new line
Comment #10
legolasboComment #11
thenchev CreditAttribution: thenchev at MD Systems GmbH commented#9.1 not sure i get that?
#9.2 using if else now.
#9.3 added authenticated in addition to different because we are checking if the file is accessible to a different user then the one created the file. Thoughts?
everything else should be resolved.
Comment #12
legolasboThe second line (26 of FileAccessControlHandler) is a blank line. Hence the Extraneous whitespace comment.
As you can see, the previous comment describes adding an authenticated user to check file access. Therefor the asserTrue description should be "Public file is accessible to authenticated user". "different" should be removed.
Other than that, good work. Thanks!
Comment #13
thenchev CreditAttribution: thenchev at MD Systems GmbH commentedHope this addresses all the issues.
Comment #14
legolasboSorry I missed these earlier.
Let's document this a bit more clearly. i.e. "Tests access to managed files"
Let's call this class FileManagedAccessTest, since that's what it is.
Remove "different"
Comment #15
thenchev CreditAttribution: thenchev at MD Systems GmbH commentedComment #16
legolasboClassname should be updated in documentation aswel
This test also tests if private files are never accessible.
While we are at it, shouldn't we also test if private files are accessible if and when they should be?
Comment #17
legolasboComment #18
BerdirWe are just adding test coverage for the new code. We already have file access tests for private files (lots of them).
Comment #19
thenchev CreditAttribution: thenchev at MD Systems GmbH, MontenaSoft commentedUps, forgot to change in docs.
Left tests for now as they are.
Comment #20
slashrsm CreditAttribution: slashrsm commentedDo we want to include "download" here too?
Comment #21
Dave ReidDefinitely needs to cover the download operation. Expanded test coverage for it. Also fixed that file_uri_scheme() is deprecated.
Comment #22
slashrsm CreditAttribution: slashrsm commentedLooks good to me.
Comment #23
alexpottThis issue addresses a major bug and is allowed per https://www.drupal.org/core/beta-changes. Committed 7b91c7f and pushed to 8.0.x. Thanks!