Contrib.social

When an anonymous user is editing an entity with private files they can get the following error: "You do not have access to the referenced entity (file: file_id)."

Open on Drupal.org β†’
Created on 1 April 2021, over 3 years ago
Updated 23 May 2024, 6 months ago

Problem/Motivation

When anonymous user is editing entity with private files he can get the following error: "You do not have access to the referenced entity (file: file_id)."
It looks like system checks array key instead of the entity id inside ReferenceAccessConstraintValidator class

Steps to reproduce

* create a new node type, anonymous user should be able to edit/add
* entity should contain file field, storage should be set to private
* as anonymous user create a new node, upload some files
* edit node, user will see a list of files and he will not be able to view them but this is an expected behaviour
* press save, system will display an error: "You do not have access to the referenced entity"
* User have not made any changes to files but he is notified about an error

Proposed resolution

Compare entity ids instead of array key

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component
EntityΒ  β†’

Last updated about 7 hours ago

Created by

πŸ‡΅πŸ‡±Poland alorenc Wolsztyn, πŸ‡΅πŸ‡±

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom niklp Nottingham
    <?php
// each of a delta-keyed array
foreach ($referenced_entities as $ref) {  
  // $ref->id() points to fid in my case which is e.g. 3018, soooo....
  if (isset($referenced_entities[$ref->id()])) { 
    // never hits here
  }
}
?>

    +1 for the patch, existing code makes no sense, at least in my use case of "10 files attached to a user profile".

  • Status changed to RTBC almost 2 years ago
  • Comment almost 2 years ago β†’
    πŸ‡¬πŸ‡§United Kingdom niklp Nottingham

    Having tested this patch, can confirm it removes the immediately offending errors.

    It didn't fix an underlying problem with access checks that I'm having, but this was definitely blocking progress.

  • Status changed to Needs work almost 2 years ago
  • Comment almost 2 years ago β†’
    πŸ‡ΊπŸ‡ΈUnited States xjm

    Thanks for reporting this issue.

    I'm not sure if this is the correct fix or not, but either way, we would definitely need an automated test that fails without the fix and passes with it. Tagging "Needs tests" for that. Thanks!

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States astringer

    I had this problem with an authenticate user and user_picture in the public folder.

    The patch did not work, at first. It did work once I changed the storage of the user_picture to private.

    I didn't have time to investigate further, ping me if you anyone wants more details. (And it's strange because it worked a couple of days ago with the public folder, and no patch.).

    Crossing my fingers it holds.

  • Comment over 1 year ago β†’
    πŸ‡΅πŸ‡±Poland lamp5 Rzeszow

    Ok, we will send you a white dove with a message...

  • Comment over 1 year ago β†’
    ph7

    I can confirm this patch works on a D9.4.11 PHP8.1 site. I don't have this problem anymore on D9.5.x sites

  • Comment over 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    Just ran into this issue after updating from Drupal 9 to Drupal 10 for existing media entities. No ideas why this comes up now, but perhaps something related was fixed, which is now causing this issue...?

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    29,465 pass
  • Comment 12 months ago β†’
    πŸ‡©πŸ‡ͺGermany zcht

    Thanks for the patch, ran into the same problem as @Anybody listed. In my case though only in a media field (not private) provided in a paragraph, was only discovered by accident because this field is rarely used. The patch fixes the problem, successfully tested on Drupal 10.1.6

    RTBC++

  • Assigned to zniki.ru
  • Comment 12 months ago β†’
    πŸ‡·πŸ‡ΊRussia zniki.ru

    I will try to create test case.

  • Merge request !5664Draft: Issue #3206760: Create Private files test β†’ (Open) created by zniki.ru
  • Issue was unassigned.
  • Comment 12 months ago β†’
    πŸ‡·πŸ‡ΊRussia zniki.ru

    I created test as described in the IS, but I was not able to get the error on 10.2.x-dev.
    Issue targeted on 10.1.x let's see how pipeline will result.

  • Comment 12 months ago β†’
    πŸ‡·πŸ‡ΊRussia zniki.ru

    I was not able to reproduce the issue.
    You can check test case in the MR.
    Needs more info, how to reproduce it.

  • Comment 12 months ago β†’
    πŸ‡·πŸ‡ΊRussia zniki.ru

    Oops.
    Made commit to wrong branch.
    Revert changes.

  • Comment 6 months ago β†’
    πŸ‡·πŸ‡ΊRussia ilya.no

    Initial patch didn't work for me, so attaching the patch, which fixed the issue.
    My issue is following:
    1) Drupal 9.5.11, webform module 6.1.5, default download method is private
    2) There is webform, which is accessible by anonymous users and contains upload field of type `Document file`.
    3) When admin tries to update submission via edit page `admin/structure/webform/manage/form_name/submission/1/edit`, there is same error, as mentioned in title.
    Not sure, if my fix is proper one, but it seems logical to check `download` operation instead of `view` for files, which can be downloaded, but can't be viewed.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024