I'm not sure if I have something wonky going on in my site but I'm noticing that $resource->access($access_op, $id) will always return FALSE for anonymous users when query operation is set.

To replicate

  • Give anonymous users the ability to use REST against nodes
  • try to go to /node/1.xml (or whatever id; this will work)
  • now try /node.xml?nid=1 (this will not work)

It appears that entity_access('view', 'node') (the function resource->access is calling) is returning false for me when no ID is set, but is fine if a specific id is passed through (assuming anonymous can view published nodes). Has anyone else experienced this issue or can replicate this? I may just have to make an authenticated request so that I can return results but querying is a key piece of functionality in this module.

Comments

btopro’s picture

btopro CreditAttribution: btopro commented
Status: Active » Fixed

Figured this out. It is possible but usually requires way too high a level of access rights to achieve (obviously).

I was able to track down that you need to be running Entity API dev to fix querying of files. The last stable release of entity is missing #1136356: Fix file access which should allow for querying of files by this module.

incredible module btw

btopro’s picture

btopro CreditAttribution: btopro commented

appears generic querying of file is not supported by the entity module's implementation of this... looks like a module that specifically profides an override for allowing files to be displayed (via permissions) would be needed. Files appears to have one of the stricter security policies of any of the entity's I've seen. This is how field_collection_items works:

function field_collection_item_access($op, FieldCollectionItemEntity $item = NULL, $account = NULL) {
...
  if (user_access('administer field collections', $account)) {
    return TRUE;
  }
...

Not expecting a fix or anything, simply posting here for documentation sake.

btopro’s picture

btopro CreditAttribution: btopro commented
Title: anonymous querying not possible » file entity can't be queried because of an inconsistency in the file entity access callback

changing title to reflect that FALSE is always going to be returned when attempting to query the file entity via this module (regardless of user, its actually never possible given how its setup).

Entity thread - #1136356: Fix file access
File Entity thread - #1227706: Add a file entity access API

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.