Contrib.social

Modules cannot grant access using hook_file_download()

Open on Drupal.org β†’
Created on 1 March 2017, over 8 years ago
Updated 30 January 2023, over 2 years ago

from FileDownloadController:

If one or more modules returned headers the download will start with the returned headers. If a module returns -1 an AccessDeniedHttpException will be thrown.

This does not appear to be the case. In the code we have:

$headers = $this->moduleHandler()->invokeAll('file_download', array($uri));

foreach ($headers as $result) {
  if ($result == -1) {
    throw new AccessDeniedHttpException();
  }
}

With my custom module invoking hook_file_download, my $headers array looks something like 

(
    [Content-Type] => application/pdf
    [Content-Length] => 76130
    [Cache-Control] => private
    [0] => -1
)

So my module does provide headers (which implicitly grants access), BUT since another module disallows access with the -1, the access denied is thrown.

Possible solutions

  1. Update the $headers foreach to account for module A granting access which module B denies.
  2. Update the docs to read "If any module returns -1 an AccessDeniedHttpException will be thrown." and provide recommendations on the correct way to override an existing access controller.

My guess is that we'll end up with #2, especially in light of the progress on #2148353: File access (hook_file_download) does not use an EntityAccessController β†’ .

πŸ› Bug report
Status

Needs work

Version

9.5

Component
File systemΒ  β†’

Last updated about 2 months ago

Created by

πŸ‡ΊπŸ‡ΈUnited States akalata

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 2 years ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • Status changed to Postponed: needs info 2 months ago
  • Comment 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    This came up as a daily BSI target

    Looking at the patch this appears to be patching a contrib module + core. So question is this issue only triggered by a contrib module?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024