Contrib.social

Download access to files on public filesystems should always be allowed

Open on Drupal.org →
Created on 28 September 2021, over 3 years ago
Updated 9 August 2023, almost 2 years ago

Problem/Motivation

In the core file access handler, if the file is stored in the public:// scheme, the download operation is always allowed and the view operation is allowed if the access content permission is granted. This logic should also be applied to public flysystem filesystems.

The way it works now, everything is okay unless you're not the owner of the file and your file usage data somehow becomes out-of-date. In that case, you get You do not have access to the referenced entity (file: xxx). errors when saving content with image/file fields containing existing files.

Steps to reproduce

  1. Upload a file to a certain field with user A.
  2. Clear the file_usage table to make sure the fallback logic is not used.
  3. Try to save the entity user A uploaded a file to as user B.

Proposed resolution

Add flysystem_entity_access in which we're checking whether the file is stored in a flysystem filesystem and allowing access if the filesystem is public.

🐛 Bug report
Status

Fixed

Version

2.1

Component

Code

Created by

🇧🇪Belgium dieterholvoet Brussels

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024