Contrib.social

Deleting a node with file usage doesn't delete file

Open on Drupal.org β†’
Created on 12 June 2017, over 7 years ago
Updated 23 September 2023, about 1 year ago

Follow-up to πŸ› Deleting an entity with revisions and file/image field does not release file usage of non-default revisions, causing files to linger Postponed

Problem/Motivation

πŸ› Deleting an entity with revisions and file/image field does not release file usage of non-default revisions, causing files to linger Postponed released usage of files in revisioned entities that are deleted.

This issue is to clean up the {file_managed} table and actual file to reflect this change.

This problem is really about data security. A managed asset that is deleted should not be accessible after the content it is attached to is deleted (unless it also is attached to some other content).

Steps to reproduce

  1. Create an article using the Article content type
  2. Embed an image within the article and note its URL.
  3. Save
  4. Reopen to edit
  5. Delete the image.
  6. Save
  7. Attempt to access the image URL that was copied in step 2.

This exhibits a similar problem:

  1. Create an article using the Article content type
  2. Embed an image within the article and note its URL.
  3. Save
  4. Delete the article.
  5. Attempt to access the image URL that was copied in step 2.

In both cases, the expected result is that the image shall no longer be available.

The actual result is that the image still is publicly available.

πŸ› Bug report
Status

Closed: works as designed

Version

9.5

Component
File moduleΒ  β†’

Last updated 3 days ago

Created by

πŸ‡¬πŸ‡§United Kingdom vijaycs85 London, UK

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago β†’
    πŸ‡³πŸ‡΄Norway gisle Norway

    I have changed the title to reflect what I believe is the problem, updated the issue summary, nd setting back to "Active".

    It is true that after the node is deleted, it is gone from the {file_usage} table, but it is not gone from the {file_managed} table, and more important, the image is not gone from the file system.

    This mean that the image URLs remain accessible on the original URL after the node that included the image is deleted.

    I believe this is a problem with security implications.

  • Comment about 1 year ago β†’
    πŸ‡³πŸ‡΄Norway gisle Norway
  • Status changed to Closed: works as designed about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    I think that the files with no usage are no longer deleted, see this change record: https://www.drupal.org/node/2891902 β†’

    So if the issue is about cleaning the file_managed table when the usage count is 0, we should close it as Works as designed.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024