Administrator cannot access to temporary files without usage that are owned by other users [#3389028]

Problem/Motivation

Administrator cannot access to temporary files without usage that are owned by other users

Steps to reproduce

1. Create a image field in content type.
2. Create a node and upload a image but not save the node.
3. Access to /admin/content/files and the image file is temporary and file usage is 0
4. Click the file link, got Access Deny.

Proposed resolution

Add role check logic in file_file_download function.
If user is the Administrator, allowed to access the file.Instead of just only checking whether the file owner is the same as the current user.

Comment	File	Size	Author
#2	3389028-administrator-cannot-access-file-issue.patch	1.37 KB	connbi

Issue fork drupal-3389028

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3389028-administrator-cannot-access compare
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

22 September 2023 at 05:47

bijiaxing created an issue. See original summary.

Comment #2

connbi commented 22 September 2023 at 06:15

Status	File	Size
new	3389028-administrator-cannot-access-file-issue.patch	1.37 KB

Comment #3

cilefen commented 22 September 2023 at 11:12

Status:	Active	» Needs review
Related issues:		+#2949017: There is no way to delete file entities of other users

Comment #4

smustgrave commented 22 September 2023 at 13:39

Status:	Needs review	» Needs work
Issue tags:		+Needs tests

Thank you for reporting

Believe next steps would be to add a test case to show the issue and that the patch addresses it.

Comment #5

22 September 2023 at 13:39

Version:

10.1.x-dev

» 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #6

22 September 2023 at 13:39

Version:

11.x-dev

» main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Comment #7

caesius commented 4 February 2026 at 17:51

I have a custom module that generates PDF with a temporary status (deliberate, since they're supposed to be ephemeral downloads) and only user 1 was able to access them. Using this patch allows other admin users to view the generated PDFs.

Comment #8

18 February 2026 at 06:30

samitk made their first commit to this issue’s fork.

Comment #9

samitk commented 18 February 2026 at 09:13

Issue tags:

+Needs usability review

This patch does not apply to Drupal 11.x or the current main branch, as file_file_download() has been removed from core.

In Drupal 11+ and Drupal 12, file download access is handled via entity access control in core/modules/file/src/FileAccessControlHandler.php, rather than procedural file download functions.

The access logic would need to be implemented as part of the file entity’s download access check.

Adding this for discussion and feedback from others on the preferred approach.