Do not rely on hardcoded strings as an API for recording anonymous user file uploads in the session

Created on 22 June 2017, almost 7 years ago
Updated 30 January 2023, over 1 year ago

The code added in https://www.drupal.org/SA-CORE-2017-003 β†’ required writing to the session every time an anonymous user uploads a private file, and also reading from that session to check if the current anonymous user is the same one who uploaded it and should have access to it.

For simplicity in a security release, this was done using a hardcoded string and a direct write to the session. But it would be useful to have more of API for this. There were two possible suggestions related to that:

  1. @larowlan suggested replacing the string with a class constant.
  2. I suggested creating an actual API to grant/check anonymous access to the file, and putting all the session code internal to that API. I suggested this partially because we do know of at least a couple contrib modules that need to deal with this functionality also (see the https://www.drupal.org/project/drupal/releases/7.56 β†’ release notes).

The options aren't mutually exclusive (it is possible to do both).

πŸ“Œ Task
Status

Needs work

Version

10.1 ✨

Component
File moduleΒ  β†’

Last updated 3 days ago

Created by

πŸ‡ΊπŸ‡ΈUnited States David_Rothstein

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

Production build 0.69.0 2024