File rest permission issue

Created on 19 August 2021, almost 4 years ago
Updated 7 July 2025, 26 days ago

Problem/Motivation

Uploading files via rest is not allowed when a user / role DOES have permission for the bundle. The error thrown is below;

Path: /file/upload/node/{bundle}/{field}?_format=hal_json. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: in Drupal\file\Plugin\rest\resource\FileUploadResource->validateAndLoadFieldDefinition() (line 443 of /var/www/d9/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php).

A bare-bone Drupal installation does not have "field permissions" unless installing "Field Permissions" module. The way I see it, it is impossible to upload a file for other roles apart from an administrator.

If a role has create/edit permission on the bundle, the field should inherit the bundle permissions.

```

$entity_access_control_handler = $this->entityTypeManager->getAccessControlHandler($entity_type_id);
    $bundle = $this->entityTypeManager->getDefinition($entity_type_id)->hasKey('bundle') ? $bundle : NULL;
    $access_result = $entity_access_control_handler->createAccess($bundle, NULL, [], TRUE)
      ->andIf($entity_access_control_handler->fieldAccess('edit', $field_definition, NULL, NULL, TRUE));
    if (!$access_result->isAllowed()) {
      throw new AccessDeniedHttpException($access_result->getReason());
}

```

Steps to reproduce

Make a post request to "/file/upload/node/{bundle}/{field}?_format=hal_json" as any role apart from administrator.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.0 🔥

Component

file system

Created by

🇬🇧United Kingdom sadikyalcin

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States smustgrave

    This came up as a daily BSI

    Don't have time to fully setup but would be good to confirm first if still an issue in D11.

  • 🇮🇳India mohit_aghera Rajkot

    I tried to reproduce the issue based on the description.
    It seems that current implementation is done on purpose to prevent accidental file upload issue.
    It was implemented in #1927648: Allow creation of file entities from binary data via REST requests .

    The comment #326 from @berdir summarises the purpose of the access mechanism.

    The advantage of uploading for a specific field is that we don't have to worry about temporary:// IMHO. Because we can just create it as a normal public:// (or whatever is configured on that field) temporary (the status, not the location) file, just like when you upload in the UI. It would also fix the permission problem, because we can easily check edit access to that specific field for that node type. That means you can really only upload files if there's at least one file/image field on an entity type/bundle that you are allowed to edit.

    Currently field access is returning the correct results.

    $access_result = $entity_access_control_handler->createAccess($bundle, NULL, [], TRUE)
          ->andIf($entity_access_control_handler->fieldAccess('edit', $field_definition, NULL, NULL, TRUE));

    If we see the fieldAccess() method, https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co..., it eventually calls checkFieldAccess https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co... which returns true since operation is edit.

    Later in the `checkFieldAccess()` we are checking field "entity_field_access" hooks.

    Please reopen the issue if you feel it is causing further regression.

Production build 0.71.5 2024