[PP-1] RESTs FileUploadResource plugin is only able to check `create` access to a parent entity, should be able to check `edit` also

Created on 3 July 2018, over 6 years ago
Updated 3 August 2024, 5 months ago

I added a file field to the user entity and followed the instructions here β†’ by enabling and configuring the new file_upload REST resource plugin to use simple_oauth for authentication. I then attempted to POST a new file at /file/upload/user/user/field_headshot_file?_format=json, but am getting a 403 indicating that the `administer users` permission is required. If I give the role belonging to the user in question the `administer users` permission I am able to upload the file successfully. This is contrary to how things work through the UI, however, as the user is able to login and edit their own user account without the `administer users` permission.

After talking with @wim-leers on this, he pointed me to the line in code in core/modules/file/src/Plugin/rest/resource/FileUploadResource.php that is throwing the access denied:

    $access_result = $entity_access_control_handler->createAccess($bundle, NULL, [], TRUE)
      ->andIf($entity_access_control_handler->fieldAccess('edit', $field_definition, NULL, NULL, TRUE));

It’s looking like the issue is that the FileUploadResource is checking for create access for the entity the file is being uploaded to. That *might* make sense when a user is editing a blog post (there's probably a scenario where a user can edit blogs, but not create new ones), but is seemingly overly restrictive when a user is editing their own account, since in reality, they don't need to have the ability to create new users to perform this action through the UI.

πŸ› Bug report
Status

Postponed

Version

11.0 πŸ”₯

Component
RESTΒ  β†’

Last updated about 1 month ago

Created by

πŸ‡ΊπŸ‡ΈUnited States malik.kotob

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024