ReferenceAccessConstraint is incorrectly checking access for referenced entities even if the reference did not change

Created on 29 October 2018, almost 7 years ago
Updated 5 September 2025, about 1 month ago

Problem/Motivation

In #2304969: Port private files access bypass from SA-CORE-2014-003 β†’ , a new entity constraint was added to File and Image field types which ensures that a user can only add a reference to a file/image that they have access to.

This constraint is only supposed to verify access of the referenced file if it's a new/changed reference, meaning the user changed the reference from what it was to something else. However there is a bug in this code that forces the check to occur every time even if the reference didn't change.

I came across this bug when trying to add custom role-based view access control on media entities with private files:

  1. Create a media entity "Private Document" that has a private file schema
  2. Add a hook_media_access implementation that forbids "view" operation on entities of that media bundle to anyone without special role
  3. Add a new "Private Document" entity and upload a file and save
  4. Now go to edit the same entity, and try saving again. You get an error "You do not have access to the referenced entity (%type: %id)."

The problem occurs because the ReferenceAccessConstraint is now checking to ensure that the user has "view" access to the referenced private file on the file field. Well, since access of private file fields is delegated to the entity that references it, access is denied because the user that's editing the entity doesn't have that special role from step 2 above.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component

file system

Created by

πŸ‡ΊπŸ‡ΈUnited States bkosborne New Jersey, USA

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024