I'm not sure if I have something wonky going on in my site but I'm noticing that $resource->access($access_op, $id) will always return FALSE for anonymous users when query operation is set.
To replicate
- Give anonymous users the ability to use REST against nodes
- try to go to /node/1.xml (or whatever id; this will work)
- now try /node.xml?nid=1 (this will not work)
It appears that entity_access('view', 'node') (the function resource->access is calling) is returning false for me when no ID is set, but is fine if a specific id is passed through (assuming anonymous can view published nodes). Has anyone else experienced this issue or can replicate this? I may just have to make an authenticated request so that I can return results but querying is a key piece of functionality in this module.
Comments
Comment #1
btopro CreditAttribution: btopro commentedFigured this out. It is possible but usually requires way too high a level of access rights to achieve (obviously).
I was able to track down that you need to be running Entity API dev to fix querying of files. The last stable release of entity is missing #1136356: Fix file access which should allow for querying of files by this module.
incredible module btw
Comment #2
btopro CreditAttribution: btopro commentedappears generic querying of file is not supported by the entity module's implementation of this... looks like a module that specifically profides an override for allowing files to be displayed (via permissions) would be needed. Files appears to have one of the stricter security policies of any of the entity's I've seen. This is how field_collection_items works:
Not expecting a fix or anything, simply posting here for documentation sake.
Comment #3
btopro CreditAttribution: btopro commentedchanging title to reflect that FALSE is always going to be returned when attempting to query the file entity via this module (regardless of user, its actually never possible given how its setup).
Entity thread - #1136356: Fix file access
File Entity thread - #1227706: Add a file entity access API