- Issue created by @adamps
- π¦πΊAustralia kim.pepper πββοΈπ¦πΊSydney, Australia
Sounds like a great idea.
Drupal governs access to files using FileDownloadController and hook_file_download(). However there is no API to query whether a given user has access to a file without reference to any HTTP request.
Specifically the Drupal Symfony Mailer contrib module needs this information in order to decide whether to allow a file to be attached to an email. When the file is attached this bypasses the checks that would normally be done if the file were accessed via HTTP. Therefore we need to ensure that an untrusted user cannot find any way to trigger an email to be sent an untrusted address with an attachment of their choice. This isn't just a theoretical risk - an issue of this sort was found in a popular Contrib module.
The workaround is to try to replicate the action of FileDownloadController by calling hook_file_download(). However this is not desirable: it introduces the risk of a bug from failing to replicate the code, and it creates a dependency on an implementation detail that might change without notice.
Create a new function (and perhaps a new class) something like this:
checkFileAccess(string $uri, ?AccountInterface $account = NULL, $return_as_object = FALSE): bool|\Drupal\Core\Access\AccessResultInterface;
None
None
As above
None
Active
11.0 π₯
file system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Sounds like a great idea.