Administrator cannot access to temporary files without usage that are owned by other users

Created on 22 September 2023, about 1 year ago

Problem/Motivation

Steps to reproduce

1. Create a image field in content type.
2. Create a node and upload a image but not save the node.
3. Access to /admin/content/files and the image file is temporary and file usage is 0
4. Click the file link, got Access Deny.

Proposed resolution

Add role check logic in file_file_download function.
If user is the Administrator, allowed to access the file.Instead of just only checking whether the file owner is the same as the current user.

🐛 Bug report

Status

Needs work

Version

10.1 ✨

Component

File system →

Last updated about 11 hours ago

Maintained by
🇦🇺Australia @kim.pepper

Created by

connbi

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Comments & Activities

Issue created by @connbi
Comment about 1 year ago →
connbi
Status changed to Needs review about 1 year ago11:12am 22 September 2023
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update about 1 year ago
29,482 pass
Comment about 1 year ago →
cilefen
Status changed to Needs work about 1 year ago1:39pm 22 September 2023
Comment about 1 year ago →
🇺🇸United States smustgrave
Thank you for reporting

Believe next steps would be to add a test case to show the issue and that the patch addresses it.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024