Contrib.social

File entity - Dblog/Watchdog entries if uid is NULL

Open on Drupal.org β†’
Created on 27 July 2018, over 6 years ago
Updated 16 January 2025, 19 days ago

Problem/Motivation

File entities have a field called "uid" storing the id of the owning user. The field is not marked as required and is not part of the entity keys. As a result, the Drupal API as well as the underlying database allow NULL values in the uid field.

The code in \Drupal\file\FileAccessControlHandler::checkAccess assumes that there is always an integer. If it is null, PHP creates an E_NOTICE on the $file_uid[0]['target_id'] expression, which by default ends up in the watchdog DB table.

Steps to reproduce

Call the file APIs functions such as File::create([...]) or file_save_data(...) from a cron or drush context.

Proposed resolution

Call getOwnerId() instead.

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component

file system

Created by

πŸ‡©πŸ‡ͺGermany gogowitsch

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Comment 19 days ago β†’
    πŸ‡ͺπŸ‡ΈSpain vidorado Pamplona (Navarra)

    @smustgrave, to properly test this, we would need a comprehensive kernel test for the FileAccessControlHandler. I feel uneasy about testing just the 'update' operation solely to ensure that a PHP notice is not triggered. Could you provide some guidance on the best way to test cases like this? Additionally, is a full test of the FileAccessControlHandler within the scope of this issue?

    Thank you!

  • Merge request !10927Issue #2988632: File entity - Dblog/Watchdog entries if uid is NULL β†’ (Open) created by vidorado
  • Pipeline finished with Failed
    19 days ago
    Total: 426s
    #398176
  • Comment 12 days ago β†’
    πŸ‡ͺπŸ‡ΈSpain vidorado Pamplona (Navarra)

    Trying to get feedback

  • Comment 5 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    There's AccessTest that probably can be expanded

  • Comment 2 days ago β†’
    πŸ‡ͺπŸ‡ΈSpain vidorado Pamplona (Navarra)

    Thanks for pointing it out. Now I see that \Drupal\Tests\file\Kernel\AccessTest already tests the update operation over a file with and without owner, so I believe we have this covered! :) haven't we?

    I've debugged step by step and checked that the new code is exercised.

    
    ...

    $this->assertFalse($file1->access('update', $user_own));
    $this->assertTrue($file2->access('update', $user_own));

    ...

    // Create a file with no user entity. 

    // <<Creates $file4 with no uid>>

    $this->assertFalse($file4->access('update', $user_own));
    ...
    $this->assertFalse($file4->access('update', $user_any));
  • Comment 2 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Then I would say not. If the test coverage were adequate it would catch the bug reported here. So think the coverage needs to be expanded to cover the scenario described.

  • Comment 2 days ago β†’
    πŸ‡ͺπŸ‡ΈSpain vidorado Pamplona (Navarra)

    You're right, and now I've seen that a isset() guard was added in πŸ› There is no way to delete file entities of other users Fixed after this issue was created, so this is not longer a problem. I think we can close this issue as outdated.

      if ($account->id() == $file_uid[0]['target_id']) {

    Was changed to:

      if (isset($file_uid[0]['target_id']) && $account->id() == $file_uid[0]['target_id']) {

    It was better to check for $entity->getOwnerId() rather than $file_uid = $entity->get('uid')->getValue() and $file_uid[0]['target_id'], but I think that's now out of the scope of this issue.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024