The code in FileAccessControlHandler::checkAccess() will return FALSE if a file is not uploaded by the current user, and does not have any public references. It seems like we should be bypassing this entirely if the file is using the public file system, in which case we should be returning TRUE no matter what.

CommentFileSizeAuthor
#21 interdiff.txt3.6 KBDave Reid
#21 2533978-fix-public-file-view-download-access.patch3.84 KBDave Reid
#19 interdiff.txt442 bytesthenchev
#19 core-entity_access-2533978-19.patch3.17 KBthenchev
#15 interdiff.txt4.41 KBthenchev
#15 core-entity_access-2533978-15.patch3.16 KBthenchev
#13 interdiff.txt1.53 KBthenchev
#13 core-entity_access-2533978-13.patch3.11 KBthenchev
#11 interdiff.txt2.72 KBthenchev
#11 core-entity_access-2533978-11.patch3.1 KBthenchev
#8 interdiff.txt1.95 KBthenchev
#8 core-entity_access-2533978-8.patch3.01 KBthenchev
#6 interdiff.txt1.41 KBthenchev
#6 2533978_6.patch2.2 KBthenchev
#5 interdiff.txt858 bytesthenchev
#5 2533978-5.patch807 bytesthenchev
#3 2533978-3.patch787 bytesthenchev
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid as a volunteer commented
Related issues: +#2128791: File resource needs an access controller, +#2148353: File access (hook_file_download) does not use an EntityAccessController, +#2078473: Use entity access API for checking access to private files
Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid as a volunteer commented
Related issues: +#2310307: File needs CRUD permissions to make REST work on entity/file/{id}
thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH commented
Status: Active » Needs review
FileSize
2533978-3.patch787 bytes

Status: Needs review » Needs work

The last submitted patch, 3: 2533978-3.patch, failed testing.

thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH commented
Status: Needs work » Needs review
FileSize
2533978-5.patch807 bytes
interdiff.txt858 bytes

Updated the comment and fixed the return value.

thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH commented
FileSize
2533978_6.patch2.2 KB
interdiff.txt1.41 KB

Added test.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented
Status: Needs review » Needs work 
  1. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,46 @@
+class AccessTest extends FileManagedTestBase {

    Can you try to use FileManagedUnitTestBase? 

  2. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,46 @@
+  function testFileAccess(){

    coding style: missing space. 

  3. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,46 @@
+
+    // Create anonymous user to check file access.
+    $account = $this->createUser()->getAnonymousUser();
+    $access = $file->access('view', $account);
+    $this->assertTrue($access, 'Public file is accessible to anonymous user');

    Test so far looks good.

    But since tests should always also have negative cases, let's add a second file that uses private:// and make sure that users don't have access to that by default.

thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH commented
Status: Needs work » Needs review
FileSize
core-entity_access-2533978-8.patch3.01 KB
interdiff.txt1.95 KB

Left FileManagedTestBase because of the issue with private files. everything else is updated.

legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
CreditAttribution: legolasbo at Ibuildings commented 
  1. +++ b/core/modules/file/src/FileAccessControlHandler.php
@@ -23,6 +23,10 @@ class FileAccessControlHandler extends EntityAccessControlHandler {

    Nit: extraneous whitespace 

  2. +++ b/core/modules/file/src/FileAccessControlHandler.php
@@ -23,6 +23,10 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
+    if (($operation == 'view') && (file_uri_scheme($entity->getFileUri()) == 'public')) {
+      return AccessResult::allowed();
+    }
     if ($operation == 'download' || $operation == 'view') {
       $references = $this->getFileReferences($entity);

    Nit: I think this should be if/elseif in stead of two if statements. 

  3. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,71 @@
+    $access = $file->access('view', $account);
+
+    $this->assertTrue($access, 'Public file is accessible to different user');

    Let's put this on one line.
    Also:
    /s/different/authenticated 

  4. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,71 @@
+    $access = $file->access('view', $account);
+
+    $this->assertTrue($access, 'Public file is accessible to anonymous user');

    Also put this on one line 

  5. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,71 @@
+    $access = $file->access('view', $account);
+
+
+    $this->assertFalse($access, 'Public file is not accessible to different user');

    Ditto 

  6. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,71 @@
+    $access = $file->access('view', $account);
+
+    $this->assertFalse($access, 'Public file is not accessible to anonymous user');

    Ditto 

  7. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,71 @@
\ No newline at end of file

    Missing new line

legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
CreditAttribution: legolasbo at Ibuildings commented
Status: Needs review » Needs work
thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH commented
Status: Needs work » Needs review
FileSize
core-entity_access-2533978-11.patch3.1 KB
interdiff.txt2.72 KB

#9.1 not sure i get that?
#9.2 using if else now.
#9.3 added authenticated in addition to different because we are checking if the file is accessible to a different user then the one created the file. Thoughts?
everything else should be resolved.

legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
CreditAttribution: legolasbo at Ibuildings commented
Status: Needs review » Needs work 
  1. +++ b/core/modules/file/src/FileAccessControlHandler.php
@@ -23,7 +23,11 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
   protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) {
 
-    if ($operation == 'download' || $operation == 'view') {
+    // Always allow access to file in public file system.

    The second line (26 of FileAccessControlHandler) is a blank line. Hence the Extraneous whitespace comment. 

  2. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,68 @@
+    // Create authenticated user to check file access.
+    $account = $this->createUser(array('access site reports'));
+
+    $this->assertTrue($file->access('view', $account), 'Public file is accessible to different authenticated user');

    As you can see, the previous comment describes adding an authenticated user to check file access. Therefor the asserTrue description should be "Public file is accessible to authenticated user". "different" should be removed.

    3. Other than that, good work. Thanks!

thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH commented
Status: Needs work » Needs review
FileSize
core-entity_access-2533978-13.patch3.11 KB
interdiff.txt1.53 KB

Hope this addresses all the issues.

legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
CreditAttribution: legolasbo at Ibuildings commented

Sorry I missed these earlier.

  1. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,69 @@
+/**
+ * Access file tests.
+ *

    Let's document this a bit more clearly. i.e. "Tests access to managed files" 

  2. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,69 @@
+class AccessTest extends FileManagedTestBase {

    Let's call this class FileManagedAccessTest, since that's what it is. 

  3. +++ b/core/modules/file/src/Tests/AccessTest.php
@@ -0,0 +1,69 @@
+    $this->assertFalse($file->access('view', $account), 'Private file is not accessible to different authenticated user');

    4. Remove "different"

thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH commented
FileSize
core-entity_access-2533978-15.patch3.16 KB
interdiff.txt4.41 KB
legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
CreditAttribution: legolasbo at Ibuildings commented 
  1. +++ b/core/modules/file/src/Tests/FileManagedAccessTest.php
@@ -0,0 +1,69 @@
+ * @file
+ * Contains \Drupal\file\Tests\AccessTest.

    Classname should be updated in documentation aswel

    </li>
  <li>
+++ b/core/modules/file/src/Tests/FileManagedAccessTest.php
@@ -0,0 +1,69 @@
+   * Tests if public file is always accessible.

    This test also tests if private files are never accessible.

While we are at it, shouldn't we also test if private files are accessible if and when they should be?

legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
CreditAttribution: legolasbo at Ibuildings commented
Status: Needs review » Needs work
Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

We are just adding test coverage for the new code. We already have file access tests for private files (lots of them).

thenchev’s picture

thenchev CreditAttribution: thenchev at MD Systems GmbH, MontenaSoft commented
Status: Needs work » Needs review
FileSize
core-entity_access-2533978-19.patch3.17 KB
interdiff.txt442 bytes

Ups, forgot to change in docs.
Left tests for now as they are.

slashrsm’s picture

slashrsm CreditAttribution: slashrsm commented 
+++ b/core/modules/file/src/FileAccessControlHandler.php
@@ -22,8 +22,11 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
+    if (($operation == 'view') && (file_uri_scheme($entity->getFileUri()) == 'public')) {

Do we want to include "download" here too?

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid as a volunteer commented
FileSize
2533978-fix-public-file-view-download-access.patch3.84 KB
interdiff.txt3.6 KB

Definitely needs to cover the download operation. Expanded test coverage for it. Also fixed that file_uri_scheme() is deprecated.

slashrsm’s picture

slashrsm CreditAttribution: slashrsm commented
Status: Needs review » Reviewed & tested by the community

Looks good to me.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Reviewed & tested by the community » Fixed

This issue addresses a major bug and is allowed per https://www.drupal.org/core/beta-changes. Committed 7b91c7f and pushed to 8.0.x. Thanks!

  • alexpott committed 7b91c7f on 8.0.x 
    Issue #2533978 by Denchev, Dave Reid, legolasbo, Berdir: $entity->access...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.