Problem/Motivation

Drupal should not check to see if a user has permission to view published nodes when they are uploading a managed file. That file could be on a term, a user, or anywhere else in the Drupal system - having nothing at all to do with viewing content that has been published.

In the file module, the AJAX callbacks look like this.

  file.ajax_progress:
  path: '/file/progress/{key}'
  defaults:
    _controller: '\Drupal\file\Controller\FileWidgetAjaxController::progress'
  requirements:
    _permission: 'access content'

Related:
#1368610: It is confusing why creating a node requires users to have permission to "view published content"

Steps to reproduce

Proposed resolution

To create a new permission for this specific use case

Remaining tasks

Issue Summary update
Decide on a solution, see #2
possible Reroll

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#38 1960784-38.patch2.53 KB_utsavsharma
#38 interdiff_36-38.txt1.16 KB_utsavsharma
#36 1960784-36.patch2.53 KBameymudras
#16 interdiff.txt1.1 KBswentel
#16 1960784-16.patch3.86 KBswentel
#14 1960784-14.patch2.76 KBswentel
#11 1960784-11.patch4.64 KBswentel
#11 interdiff.txt618 bytesswentel
#9 1960784-9.patch4.63 KBswentel
#9 interdiff.txt1.82 KBswentel
#7 1960784-7.patch3.46 KBswentel
#5 drupal-file_ajax_improperly_checks_access-1960784-5.patch1.64 KBgarphy
drupal-file_ajax_improperly_checks_access.patch740 bytesjenlampton
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

neRok’s picture

neRok CreditAttribution: neRok commented
Status: Needs review » Reviewed & tested by the community

I manually applied the patch to 7.22 (dont have a git setup atm), and everything seems to work as expected, so the code looks good.

However, is it a good idea to have no access checks for those menu paths at all? Maybe a new permission needs adding, "Can upload files to fields" or something of the sort.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Version: 7.21 » 8.x-dev
Status: Reviewed & tested by the community » Needs review
Issue tags: +Needs backport to D7

This would need to go in Drupal 8 first.

And yeah, I think it needs a bit more review - just looks a bit scary to remove permissions entirely from this callback (even if the current permission being used there doesn't make sense)! I think the callbacks themselves might do enough checking of their own that it's safe, but would be good to see more reviews.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

If we are using file entities in Drupal 8 then this bug is limited to Drupal 7.

Oh, I missed that part of the comment. Well, I'm going by the fact that file/ajax and file/progress both exist in Drupal 8 and have the same permission check, and (currently at least) appear to be in use.

slashrsm’s picture

slashrsm CreditAttribution: slashrsm commented

I agree with @David_Rothstein here. Removing all access checks from a callback is generally not a good idea. However, file_ajax_upload() do check for form_id and fails if not present or invalid. file_ajax_progress() on the other hand performs no special checks and I am not sure if it is safe to open it to the entire world.

garphy’s picture

garphy CreditAttribution: garphy commented
FileSize
drupal-file_ajax_improperly_checks_access-1960784-5.patch1.64 KB

This patch adds a new 'upload files' permission.
Added a quick hook_update_N() to 'copy' the 'access content' permission.
NB: This is a D7 patch, for now.

Status: Needs review » Needs work

The last submitted patch, drupal-file_ajax_improperly_checks_access-1960784-5.patch, failed testing.

swentel’s picture

swentel CreditAttribution: swentel commented
Status: Needs work » Needs review
FileSize
1960784-7.patch3.46 KB

D8 version - will probably need some more 'upload files' permission in tests I guess.

Status: Needs review » Needs work

The last submitted patch, 1960784-7.patch, failed testing.

swentel’s picture

swentel CreditAttribution: swentel commented
Status: Needs work » Needs review
FileSize
interdiff.txt1.82 KB
1960784-9.patch4.63 KB

Different approach for D8

Status: Needs review » Needs work

The last submitted patch, 1960784-9.patch, failed testing.

swentel’s picture

swentel CreditAttribution: swentel commented
Status: Needs work » Needs review
FileSize
interdiff.txt618 bytes
1960784-11.patch4.64 KB

Right, duh.

swentel’s picture

swentel CreditAttribution: swentel commented
Issue summary: View changes

bug

slashrsm’s picture

slashrsm CreditAttribution: slashrsm commented 
+++ b/core/modules/file/file.install
@@ -321,3 +321,13 @@ function file_update_8004() {
+/**
+ * Add 'upload files' permission to roles having 'access content' permission.
+ */
+function file_update_8005(){
+  $add = array(
+    'access content' => 'upload files'
+  );
+  update_add_permissions($add);
+}
+
diff --git a/core/modules/file/file.module b/core/modules/file/file.module

This keeps the same configuration for sites that are upgraded from D7 to D8. It seems a bit strange to give all users permissions to upload files, but I understand the rationale behind that.

Do we want to add this permission to authenticated users only for freshly installed sites?

slashrsm’s picture

slashrsm CreditAttribution: slashrsm commented
Issue summary: View changes
Status: Needs review » Needs work
swentel’s picture

swentel CreditAttribution: swentel commented
Status: Needs work » Needs review
FileSize
1960784-14.patch2.76 KB

Rerolling - the update is not needed anymore.

AFAICT, there's no anonymous form in standard with a file upload, so I guess default installation is currently fine ?

Status: Needs review » Needs work

The last submitted patch, 14: 1960784-14.patch, failed testing.

swentel’s picture

swentel CreditAttribution: swentel commented
Status: Needs work » Needs review
FileSize
1960784-16.patch3.86 KB
interdiff.txt1.1 KB
dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented

Can we somehow ensure that the file widgets aren't shown in that case?

On top you might be able to upload files via REST. this would have to check access as well.

swentel’s picture

swentel CreditAttribution: swentel commented

Interesting remark re: the widget - haven't even thought about that.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
CreditAttribution: jhedstrom commented
Status: Needs review » Needs work

I think this is at needs work based on #17.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented

See also #2310307: File needs CRUD permissions to make REST work on entity/file/{id} .

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir commented
Related issues: +#2310307: File needs CRUD permissions to make REST work on entity/file/{id}

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer and at Chapter Three commented
Related issues: +#1927648: Allow creation of file entities from binary data via REST requests

Another related issue: #1927648: Allow creation of file entities from binary data via REST requests

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Issue summary: View changes
Issue tags: +Needs issue summary update, +Bug Smash Initiative

This was a bugsmash triage target. It was discussed with mstrelan and lendude. They concluded that this is still an issue, that it needs a discussion of the proposed fix because the solution in #2 'sounds bad', an issue summary update and a possible reroll.

ameymudras’s picture

ameymudras CreditAttribution: ameymudras at Salsa Digital commented
Status: Needs work » Needs review
FileSize
1960784-36.patch2.53 KB

Submitting a patch for 9.5.x with a custom permission

ameymudras’s picture

ameymudras CreditAttribution: ameymudras at Salsa Digital commented
Issue summary: View changes
_utsavsharma’s picture

_utsavsharma CreditAttribution: _utsavsharma at OpenSense Labs for DrupalFit commented
FileSize
interdiff_36-38.txt1.16 KB
1960784-38.patch2.53 KB

Tried to fix CCF in #36.

Status: Needs review » Needs work

The last submitted patch, 38: 1960784-38.patch, failed testing. View results

brad.bulger’s picture

brad.bulger CreditAttribution: brad.bulger commented

re #14

AFAICT, there's no anonymous form in standard with a file upload, so I guess default installation is currently fine ?

The default user registration form has a user picture field. If anonymous users don't have access content, they can't register.

That's about more than the Ajax callback - see FileAccessControlHandler::checkAccess - but seems relevant here.

#2988255: user_picture upload fails during registration without published content access

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.