Contrib.social

Fixed blocks are not visible to guest users

Open on Drupal.org →
Created on 29 March 2022, almost 3 years ago
Updated 6 October 2023, over 1 year ago

Hi!

Not sure, if this is an issue with this module or the underlying core functionality in general, but I'll try my luck here first.

I have a site where the default method for serving files, including images tracked by CKEditor, is the private file system.

Now I have a fixed block with an image embedded through the editor. For the admin user everything looks fine. The block's text content and the image appear as they should.

For guest users, the block's text appears, but not the image.

After a bit of digging I found that the attempt to display the image triggers editor_file_download(). This eventually lands us in BlockContentAccessControlHandler::checkAccess().

We start off with an AccessResultAllowed in $access for the block.

As the block is non-reusable, we end up in line 83, where $access->andIf($dependency->access($operation, $account, TRUE)) results in $access now being an AccessResultNeutral, which results in editor_file_download() denying access to the image.

Two things that are unclear to me at the moment:

  1. As mentioned above, is this an issue caused by this specific module? Or is a general issue with the core block system that is just triggered because of the non-reusable block created here?
  2. Right now I don't see a good solution to work around this issue that doesn't involve creating a non-fixed block or changing the way files are served.

Edit: For comparison I just started with a fresh D9 installation and created both a non-reusable block via Layout Builder (top) and one using Fixed Block Content (bottom).

The image in the Layout Builder block shows up fine for guests, the one in the Fixed Content Block gets a 403.

🐛 Bug report
Status

Needs review

Version

1.1

Component

Code

Created by

🇩🇪Germany marcoliver Neuss, NRW, Germany

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Comment over 1 year ago
    🇳🇱Netherlands watergate

    Stumbled upon the same problem when attaching a paragraph field to (fixed) block content.

    I agree with @vidorado #3272253-5: Fixed blocks are not visible to guest users that this "solution" might be too permissive/friendly. The infinite loop is indeed a problem; the solution might be to implement the same strategy as used by the BlockContentAccessControlHandler::checkAccess(): 

    AccessResult::allowedIf($entity->isPublished())
  ->orIf(AccessResult::allowedIfHasPermissions($account, [
    'access block library',
  ]))
  ->orIf(AccessResult::allowedIfHasPermissions($account, [
    'administer block content',
  ]))

    Where the $entity->isPublished() should be the referenced/included block content object.

    The provided patch didn't apply cleanly anymore (to the latest dev-version), so I've opened a merge-request (already).

  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.4 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    Fetch Error
  • @watergate opened merge request.
  • Status changed to Needs review over 1 year ago
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.1.4 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    Patch Failed to Apply
  • Comment over 1 year ago
    🇮🇳India viren18febS
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024