In #2304969: Port private files access bypass from SA-CORE-2014-003 β , a new entity constraint was added to File and Image field types which ensures that a user can only add a reference to a file/image that they have access to.
This constraint is only supposed to verify access of the referenced file if it's a new/changed reference, meaning the user changed the reference from what it was to something else. However there is a bug in this code that forces the check to occur every time even if the reference didn't change.
I came across this bug when trying to add custom role-based view access control on media entities with private files:
The problem occurs because the ReferenceAccessConstraint is now checking to ensure that the user has "view" access to the referenced private file on the file field. Well, since access of private file fields is delegated to the entity that references it, access is denied because the user that's editing the entity doesn't have that special role from step 2 above.
Needs work
11.0 π₯
file system
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.