Instead of derivative image Drupal responses with 403 because it can not generate derivative.

CommentFileSizeAuthor
#4 Selection_250.png34.6 KBimyaro
#2 youtube-2855094-2.patch1005 bytesrosk0

Comments

RoSk0 created an issue. See original summary.

rosk0’s picture

rosk0
he/him
Primary language Russian
Location Wellington
commented
Assigned: rosk0 » Unassigned
Status: Active » Needs review
StatusFileSize
new youtube-2855094-2.patch1005 bytes

Provided patch fixes this issue.

gold’s picture

gold
they/them
Location 20 minutes in the future
commented
Status: Needs review » Reviewed & tested by the community

This is looking good.

Thumbnails are now being generated as expected.

imyaro’s picture

imyaro commented
StatusFileSize
new Selection_250.png34.6 KB

Hello,
Field "YouTube thumbnail directory" has the public files path prefix,
Path prefix

and problem could appear if:
* Site has the private files directory within the public one
* User has selected private files directory to store the thumbnails.

Only in this case you will have this issue.
And if module user has selected private files directory, he has a reason to hide this files from the users which don't have this permission.

imyaro’s picture

imyaro commented
Status: Reviewed & tested by the community » Closed (works as designed)

Works as designed, nothing to fix there.

rosk0’s picture

rosk0
he/him
Primary language Russian
Location Wellington
commented
Status: Closed (works as designed) » Reviewed & tested by the community

Hi @zvse,

Yes, you are completely right, if the user specifies private file system for thumbnails then only users with required access rights should be able to view thumbnails.

The issue is that without this patch they don't.

imyaro’s picture

imyaro commented
Status: Reviewed & tested by the community » Needs work

In this case we have issues:
1) In the hook we don't check if user has an access to the field content (to the entity, at least). We just give all the users access to the thumbnails in any case.
2) We don't allow users to define private:// file directory in case if it located outside the public one.

prudloff’s picture

prudloff commented

We had the same issue on a Drupal 8 website but got it to work with a simple download hook:

/**
 * Implements hook_file_download().
 *
 * @throws PluginNotFoundException
 * @throws InvalidPluginDefinitionException
 */
function xxx_tweaks_file_download($uri) {
  if (strpos(file_uri_target($uri), Drupal::config('youtube.settings')->get('youtube_thumb_dir')) === 0) {
    /** @var \Drupal\Core\Entity\EntityTypeManager $entityManager */
    $entityManager = Drupal::entityTypeManager();
    $files = $entityManager->getStorage('file')->loadByProperties(['uri' => $uri]);
    return file_get_content_headers(current($files));
  }
}