Anonymous users are not able to upload files when the upload destination is set to "private files". This problem does not occur with the basic Drupal core file field, only when file_entity is enabled.
I ran into this problem when creating a job application form where anonymous users should submit their CV. After choosing a file, the file is automatically uploaded and gets a file id. Immediately the file field's ReferenceAccess constraint (\Drupal\Core\Entity\Plugin\Validation\Constraint\ReferenceAccessConstraint) kicks in and throws a validation error: You do not have access to the referenced entity (file: 1). The user is not able to submit the form.
Proposed solution: I'm not sure if this is doable, but ideally the ReferenceAccessConstraint would check if the file entity was created by the anonymous user (session) who is creating the reference, and allow the reference to be created.
Comment | File | Size | Author |
---|---|---|---|
#8 | FileEntityAccessControlHandler.patch | 989 bytes | Ruuds |
#7 | FileEntityAccessControlHandler.patch | 991 bytes | bmathieuh |
Comments
Comment #2
gplante CreditAttribution: gplante commentedI have the exact same problem. I would be happy to find a solution too.
Comment #3
pminfBecause of this issue we are not able to provide a private upload field in a contact form which is mandatory for sensitive data.
Comment #4
Yete CreditAttribution: Yete commentedI had same issue.
Using "webform module" seems to solve it, so anonymous user can upload files in private folder.
Comment #5
lokeshsn22 CreditAttribution: lokeshsn22 as a volunteer and commentedHi Guys,
Any update on the above issue.
Comment #6
marcvangendHi Lokesh, see https://drupal.stackexchange.com/a/215613/226 for some suggestions on how to solve this by overriding ReferenceAccessConstraintValidator::validate. I remember using this method back in 2016 but unfortunately I do not have access to the repository anymore so I cannot share the final code with you.
PS. Instead of "Hi guys" you may want to choose something more gender neutral. I know some people would appreciate it.
Comment #7
bmathieuhProposed solution: I add this code (copied from the file module) in the FileEntityAccessControlHandler::checkAccess function :
before checking the ownership of the file :
Thanks for reviewing the path attached.
Comment #8
Ruuds CreditAttribution: Ruuds at Groowup Digital Agency commented@marcvangend your proposed solution helped me out! Thank you.
I've fixed a typo in the patch which renamed the file_entity directory.