When forbidding access to private files to anonymous, but still giving them the right to upload files the "managed_file" element is broken.
Test case: Anonymous user are able to fill a form which contains a custom "managed_file" form element. This element uploads files in a private location for security reason and anonymous should not have access to these files.
i.e:
/**
* Implements hook_file_access().
*/
function user_private_file_file_access(FileInterface $file, $operation, AccountProxyInterface $account) {
// You custom logic for file access.
// No access for the others (anonymous).
return AccessResult::forbidden();
}
$form['files'] = [
'#type' => 'managed_file',
'#upload_location' => 'private://somewhere/',
'#multiple' => TRUE,
];
1. Implements hook_file_access to restrict access to files.
2. Create a custom form.
3. Add a file_manage form element which upload files into a private directory.
4. As an anonymous user, upload several files to the form.
Here comes the trouble. Even though the form will return the files (and files are well saved on the server), they are not available to the form anymore.
5. Try to delete one file using the removed selected button --> All files will be deleted.
6. (with or without 4.) Try submitting the form --> Files are not available in form_state.
I think we should move a bit down the access test in Drupal\file\Element\ManagedFile::valueCallback(), so we let temporary files being dealt with before we actually perform the access test.
Reviewing, testing.
Needs work
9.5
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
As a bug it will need a test case to show the issue
Thanks!
I don't know, if I have some time I can try reproducing it on a fresh Drupal instance.
If nobody can reproduce it, it might be a bug from the site I was working on.