Ajax file upload callback improperly checks view published content ('access content') permission

Created on 4 April 2013, almost 12 years ago

Updated 28 February 2023, almost 2 years ago

Problem/Motivation

Drupal should not check to see if a user has permission to view published nodes when they are uploading a managed file. That file could be on a term, a user, or anywhere else in the Drupal system - having nothing at all to do with viewing content that has been published.

In the file module, the AJAX callbacks look like this.

  file.ajax_progress:
  path: '/file/progress/{key}'
  defaults:
    _controller: '\Drupal\file\Controller\FileWidgetAjaxController::progress'
  requirements:
    _permission: 'access content'

Steps to reproduce

Proposed resolution

To create a new permission for this specific use case

Remaining tasks

Issue Summary update
Decide on a solution, see #2 🐛 Ajax file upload callback improperly checks view published content ('access content') permission Needs work
possible Reroll

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report

Status

Needs work

Version

9.5

Component

File module →

Last updated 9 days ago

Maintained by
🇦🇺Australia @kim.pepper

Created by

🇺🇸United States jenlampton

Live updates comments and jobs are added and updated live.

Needs backport to D7
After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Needs issue summary update
Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Bug Smash Initiative

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇺🇸United States brad.bulger
re #14

AFAICT, there's no anonymous form in standard with a file upload, so I guess default installation is currently fine ?

The default user registration form has a user picture field. If anonymous users don't have access content, they can't register.

That's about more than the Ajax callback - see FileAccessControlHandler::checkAccess - but seems relevant here.

🐛 user_picture upload fails during registration without published content access Closed: works as designed

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024