- 🇺🇸United States smustgrave
This came up as a daily BSI
Don't have time to fully setup but would be good to confirm first if still an issue in D11.
- 🇮🇳India mohit_aghera Rajkot
I tried to reproduce the issue based on the description.
It seems that current implementation is done on purpose to prevent accidental file upload issue.
It was implemented in #1927648: Allow creation of file entities from binary data via REST requests → .The comment #326 → from @berdir summarises the purpose of the access mechanism.
The advantage of uploading for a specific field is that we don't have to worry about temporary:// IMHO. Because we can just create it as a normal public:// (or whatever is configured on that field) temporary (the status, not the location) file, just like when you upload in the UI. It would also fix the permission problem, because we can easily check edit access to that specific field for that node type. That means you can really only upload files if there's at least one file/image field on an entity type/bundle that you are allowed to edit.
Currently field access is returning the correct results.
$access_result = $entity_access_control_handler->createAccess($bundle, NULL, [], TRUE) ->andIf($entity_access_control_handler->fieldAccess('edit', $field_definition, NULL, NULL, TRUE));
If we see the
fieldAccess()
method, https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co..., it eventually callscheckFieldAccess
https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co... which returns true since operation is edit.Later in the `checkFieldAccess()` we are checking field "entity_field_access" hooks.
Please reopen the issue if you feel it is causing further regression.