The entity:file resource needs an access controller in order to be able to view file entities through the REST module.
Example:
1. On a clean Drupal installation, Enable rest module.
2. Add a file filed to the page content type and create a page adding a file to it.
3. Enable node and file REST resources and give permissions to anonymous users to access GET method on these two.
4. Request http://d8.local/entity/node/1 >> you will get the page node, which contains the file entity.
5. Request http://d8.local/entity/file/1 >> you will get a 403 error.
This happens because the file entity uses EntityAccessController->checkAccess(), which simply looks for the permission 'administer files'.
Should we add more fine grained permissions for entities in the rest module?
Comment | File | Size | Author |
---|---|---|---|
#35 | 2128791-35-should-fail.patch | 3.95 KB | marthinal |
#32 | 2128791-32.patch | 4.21 KB | marthinal |
#15 | interdiff.txt | 3.46 KB | Xano |
#15 | drupal_2128791_15.patch | 3.54 KB | Xano |
#8 | drupal-file-access-controller-only-test-2128791-8.patch | 1.77 KB | juampynr |
Comments
Comment #1
juampynr CreditAttribution: juampynr commentedHere is a patch that adds a very simple access controller. After aplying it, http://d8.local/entity/file/1 will return the requested file if permission 'access get on entity:file' resource is active for anonymous users.
Comment #2
juampynr CreditAttribution: juampynr commentedComment #4
dawehnerMaybe we could just introduce an "admin_permission" on the File entity.
Comment #5
marthinal CreditAttribution: marthinal commentedLet's try this patch. @juampy, should be the access controller into the file core module? If we can access to the node and to the file attached to this node too... we don't need to alter the entity, I mean the file should be accessible.
Comment #6
BerdirFiles do have their own access API that is important for e.g. private files, you can't just allow anyone to see them. See file_file_download(), I tried to deprecate that in favor of relying on an access controller but the problem is that based on how this currently works (the API is limited to a specific field type), there's not enough context in the entity access controller/hooks.
I've also opened #2078473: Use entity access API for checking access to private files to deprecate the custom API in favor of relying more on the entity access API, I originally tried to do that in #1327224: Access denied to taxonomy term image.
Comment #7
juampynr CreditAttribution: juampynr commentedPublic files are just accessible in the browser without any extra access check. Therefore, their REST resource should not rely on EntityAccessController->checkAccess().
Here is an updated version where the FileAccessController only allows access to public files. Other file streams go through EntityAccessController->checkAccess().
At the moment the REST File resource simply does not work without this patch.
Comment #8
juampynr CreditAttribution: juampynr commentedAdding a test to prove this. One patch contains just the test. The other one contains the test and the AccessController.
Comment #10
juampynr CreditAttribution: juampynr commentedVerified. Patch with just the test fails.
Comment #11
amateescu CreditAttribution: amateescu commentedSo.. this means that when the rest module is enabled, every part of drupal that wants to check access to a public file will go through
Drupal\rest\FileAccessController
, which returns TRUE for that scheme. That doesn't sound right at all...Comment #12
juampynr CreditAttribution: juampynr commented@amateescu, can you give me a hint on how to tackle the problem described at the top of this issue?
Comment #13
BerdirFor a start, move the access controller to file.module. rest.module should rely on the entity access API, not define access rules itself.
Then we need to decide what to do about private files.
file_permission() defines 'access files overview', you could require that for private files?
Comment #14
larowlanAdded #2148353: File access (hook_file_download) does not use an EntityAccessController to related issues
Comment #15
Xano@Berdir is right in #6:
hook_file_download_access()
(only called byfile_file_download()
, which is an implementation of what seems to be an undocumented hook) takes too much context to be easily replaced withhook_entity_access()
. What I'm not sure of is 1) should file entities always be field values, or can they exist stand-alone? and 2) Can a single file entity be a value for multiple file fields? Let's discuss this in #2078473: Use entity access API for checking access to private files, however.This patch moves the access controller to the File module and adds some type hinting to make IDEs happy.
Comment #16
amateescu CreditAttribution: amateescu commented@juampy, sorry for not being more detailed in my review, #13 / #15 is what I meant :)
Comment #17
Berdir@Xano: Both hooks are documented, hook_file_download() is in system.api.php. I'm fine with getting a minimal implementation in here and continue in the referenced issue, but I'm not sure what that minimal implementation needs to do exactly :)
Comment #18
XanoMinimal implementation of what?
Comment #19
BerdirOf the file access controller? If we need to care about private files, or not, ...
Comment #20
juampynr CreditAttribution: juampynr commentedDo we need this? @inheritdoc should take care of it.
Same here. Do we need this?
Comment #21
XanoWe need it in the access controller at least, because the method expects EntityInterface and not FileInterface, but we are calling FileInterface::getFileUri().
Comment #22
juampynr CreditAttribution: juampynr commentedShouldn't we remove the @inheritdoc and write the list of arguments so it matches reality?
Comment #23
tim.plunkett@juampy It doesn't matter, the actual typehint in the method params will prevent an IDE from caring about the @param. It needs to be inline.
Comment #24
juampynr CreditAttribution: juampynr commentedOh, I see now. Thanks.
Are we done here?
Comment #25
klausithe test in REST module looks wrong. This should have a unit test for file entity access() in file.module, since there is no bug in REST module, right?
And I don't think this is critical, Drupal does not stop working, this is not a security issue and this could be fixed from contrib.
Comment #26
Dave ReidComment #27
marthinal CreditAttribution: marthinal commentedComment #28
marthinal CreditAttribution: marthinal commentedComment #29
marthinal CreditAttribution: marthinal commentedThis is a first attempt. I don't know if we need to attach first the test for unit test. So the only test patch will crash.
I was talking with @juampy about the possibility to use the functional test for the rest module to reproduce this bug too... I understood that he agrees about that.
Comment #32
marthinal CreditAttribution: marthinal commentedlet's try again
Comment #33
marthinal CreditAttribution: marthinal commentedComment #35
marthinal CreditAttribution: marthinal commentedWhen I run this unit test from phpunit directly it pass. When I run the test using the run-test.sh script it fails because file_uri_scheme() is used from core/tests/Drupal/Tests/Core/Asset/CssOptimizerUnitTest.php and not from the current test.
Comment #38
marthinal CreditAttribution: marthinal commentedComment #39
xjm32: 2128791-32.patch queued for re-testing.
Comment #41
juampynr CreditAttribution: juampynr commentedSince [#2241059] this bug does not make sense anymore. Paths have changed and now I am seeing a different bug that I will describe in a new issue.
Closing.
Comment #42
juampynr CreditAttribution: juampynr commentedCreated #2277705: Files don't have URI nor href as a follow up.
Comment #43
blueminds CreditAttribution: blueminds commentedRelated to and addressed in #2078473: Use entity access API for checking access to private files
Comment #44
Gábor HojtsyFix media tag.