Problem/Motivation

In #2304969: Port private files access bypass from SA-CORE-2014-003, a new entity constraint was added to File and Image field types which ensures that a user can only add a reference to a file/image that they have access to.

This constraint is only supposed to verify access of the referenced file if it's a new/changed reference, meaning the user changed the reference from what it was to something else. However there is a bug in this code that forces the check to occur every time even if the reference didn't change.

I came across this bug when trying to add custom role-based view access control on media entities with private files:

  1. Create a media entity "Private Document" that has a private file schema
  2. Add a hook_media_access implementation that forbids "view" operation on entities of that media bundle to anyone without special role
  3. Add a new "Private Document" entity and upload a file and save
  4. Now go to edit the same entity, and try saving again. You get an error "You do not have access to the referenced entity (%type: %id)."

The problem occurs because the ReferenceAccessConstraint is now checking to ensure that the user has "view" access to the referenced private file on the file field. Well, since access of private file fields is delegated to the entity that references it, access is denied because the user that's editing the entity doesn't have that special role from step 2 above.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#5 reference-access-constraint-fix-3009976-5.patch1.28 KBbkosborne
#2 reference-access-constraint-fix-3009976-2.patch1.27 KBbkosborne

Issue fork drupal-3009976

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

bkosborne created an issue. See original summary.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented
Status: Active » Needs review
Related issues: +#2304969: Port private files access bypass from SA-CORE-2014-003
StatusFileSize
new reference-access-constraint-fix-3009976-2.patch1.27 KB

So the bug is that the code assumed that $existing_entity->{$value->getFieldDefinition()->getName()}->referencedEntities(); returned an array of referenced file entities indexed by the entity ID, but that's not true. It retursn an array of references indexed by the delta. This fixes it so that it's comparing the IDs properly.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented
StatusFileSize
new reference-access-constraint-fix-3009976-5.patch1.28 KB

Re-rolled for Drupal 8.8.x

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

dmouse’s picture

dmouse
Primary language Spanish
Location Mexico City
commented

This patch work for me

sahal_va’s picture

sahal_va commented
Status: Needs review » Reviewed & tested by the community

I had similar issue while editing a custom entity with a file upload field.
Though the file entity was uploaded by the user, he wasn't able to edit the entity due to referenced file validation error.
This patch solved the issue.

jungle’s picture

jungle
He/Him
Location Chongqing, China
commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs tests, +Bug Smash Initiative

@bkosborne, thanks for filing this and working on it.

But bugs need a test, in general.

jungle’s picture

jungle
He/Him
Location Chongqing, China
commented
Issue summary: View changes

Applying IS template

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Why is this unpublished?

bkosborne opened merge request !13173

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Still NW for tests I guess, but I created an MR at least.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.