Administrator cannot access to temporary files without usage that are owned by other users

Created on 22 September 2023, 12 months ago

Problem/Motivation

Steps to reproduce

1. Create a image field in content type.
2. Create a node and upload a image but not save the node.
3. Access to /admin/content/files and the image file is temporary and file usage is 0
4. Click the file link, got Access Deny.

Proposed resolution

Add role check logic in file_file_download function.
If user is the Administrator, allowed to access the file.Instead of just only checking whether the file owner is the same as the current user.

🐛 Bug report

Status

Needs work

Version

10.1 ✨

Component

File system →

Last updated 1 day ago

Maintained by
🇦🇺Australia @kim.pepper

Created by

bijiaxing

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Comments & Activities

Issue created by @bijiaxing
Comment 12 months ago →
bijiaxing
Status changed to Needs review 12 months ago11:12am 22 September 2023
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update 12 months ago
29,482 pass
Comment 12 months ago →
🇺🇸United States cilefen
Status changed to Needs work 12 months ago1:39pm 22 September 2023
Comment 12 months ago →
🇺🇸United States smustgrave
Thank you for reporting

Believe next steps would be to add a test case to show the issue and that the patch addresses it.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024