I added a file field to the user entity and followed the instructions
here β
by enabling and configuring the new file_upload REST resource plugin to use simple_oauth for authentication. I then attempted to POST a new file at /file/upload/user/user/field_headshot_file?_format=json, but am getting a 403 indicating that the `administer users` permission is required. If I give the role belonging to the user in question the `administer users` permission I am able to upload the file successfully. This is contrary to how things work through the UI, however, as the user is able to login and edit their own user account without the `administer users` permission.
After talking with @wim-leers on this, he pointed me to the line in code in core/modules/file/src/Plugin/rest/resource/FileUploadResource.php that is throwing the access denied:
$access_result = $entity_access_control_handler->createAccess($bundle, NULL, [], TRUE)
->andIf($entity_access_control_handler->fieldAccess('edit', $field_definition, NULL, NULL, TRUE));
Itβs looking like the issue is that the FileUploadResource is checking for create access for the entity the file is being uploaded to. That *might* make sense when a user is editing a blog post (there's probably a scenario where a user can edit blogs, but not create new ones), but is seemingly overly restrictive when a user is editing their own account, since in reality, they don't need to have the ability to create new users to perform this action through the UI.
Postponed
11.0 π₯
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Perhaps someone will be useful. A workaround, it provides the ability to pass an entity to query.
/file/upload/{entity_type_id}/{bundle}/{field_name} - entity creation access check
/file/upload/{entity_type_id}/{bundle}/{field_name}?entity={id} - loading the entity and checking access to update the entity