Anonymous user are able to fill a form which contains a custom "managed_file" form element. This element uploads files in a private location for security reason.
i.e:
$form['files'] = [
'#type' => 'managed_file',
'#upload_location' => 'private://somewhere/',
'#multiple' => TRUE,
];
1. Create a custom form.
2. Add a file_manage form element which upload files into a private directory.
3. As an anonymous user, upload several files to the form.
Here comes the trouble. Even though the form will return the files (and files are well saved on the server), they are not available to the form anymore.
4. Try to delete one file using the removed selected button --> All files will be deleted.
5. (with or without 4.) Try submitting the form --> Files are not available in form_state.
I think we should move a bit down the access test in Drupal\file\Element\ManagedFile::valueCallback(), so we let temporary files being dealt with before we actually perform the access test.
Reviewing, testing.
Needs work
9.5
Used to track the progress of issues reviewed by the Drupal Needs Review Queue Initiative.
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
As a bug it will need a test case to show the issue
Thanks!
I don't know, if I have some time I can try reproducing it on a fresh Drupal instance.
If nobody can reproduce it, it might be a bug from the site I was working on.
Bitten by this one as well, the patch makes sense, and it works at the moment. Would be great to have some security eyes on this one!