Ajax file upload callback improperly checks view published content ('access content') permission

Created on 4 April 2013, about 11 years ago
Updated 28 February 2023, over 1 year ago

Problem/Motivation

Drupal should not check to see if a user has permission to view published nodes when they are uploading a managed file. That file could be on a term, a user, or anywhere else in the Drupal system - having nothing at all to do with viewing content that has been published.

In the file module, the AJAX callbacks look like this.

  file.ajax_progress:
  path: '/file/progress/{key}'
  defaults:
    _controller: '\Drupal\file\Controller\FileWidgetAjaxController::progress'
  requirements:
    _permission: 'access content'

Related:
#1368610: It is confusing why creating a node requires users to have permission to "view published content" β†’

Steps to reproduce

Proposed resolution

To create a new permission for this specific use case

Remaining tasks

Issue Summary update
Decide on a solution, see #2 πŸ› Ajax file upload callback improperly checks view published content ('access content') permission Needs work
possible Reroll

User interface changes

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Needs work

Version

9.5

Component
File moduleΒ  β†’

Last updated 3 days ago

Created by

πŸ‡ΊπŸ‡ΈUnited States jenlampton

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024