- 🇺🇸United States smustgrave
As a bug it will need a test case to show the issue
Thanks!
- 🇭🇷Croatia Aporie
I don't know, if I have some time I can try reproducing it on a fresh Drupal instance.
If nobody can reproduce it, it might be a bug from the site I was working on.
- 🇧🇪Belgium swentel
Bitten by this one as well, the patch makes sense, and it works at the moment. Would be great to have some security eyes on this one!
- 🇺🇸United States smustgrave
Came up as a daily BSI triage target.
Summary seems good. MR will have to be updated to 11.x and a test case added.
- First commit to issue fork.
- 🇮🇳India mrinalini9 New Delhi
Created MR against 11.x.
Still test needs to be added. - 🇭🇷Croatia Aporie
Hi @smustgrave,
Just spent a good afternoon trying to make a FunctionalJavascript test for it. Seems like a dead end. For some reason the ajax of the managed_file element is not working.
I see that some kind of tweak was implemented in core/modules/file/tests/src/FunctionalJavascript/FileManagedFileElementTest.php to bypass it, so I tried going this way, adding $is_private to the form.
Problem is, until the form won't get reloaded with ajax, then we can't reproduce the issue. The form_state never gets updated with empty $fids, and we can never reproduce the removal of all files when trying to remove only one.
I'll see if I have some ideas coming up, but for now I feel beaten by this fracking ajax. Maybe we could test a Unit approach?
If you have any idea, or pointers ... I can take another look at it next week.