diff options
| author | Alex Pott <alex.a.pott@googlemail.com> | 2014-10-15 10:10:03 +0100 |
|---|---|---|
| committer | Alex Pott <alex.a.pott@googlemail.com> | 2014-10-15 11:24:55 +0100 |
| commit | 8f3f79ad34fcdc6db7b5bbb34f083a103ca4502c (patch) | |
| tree | e835be90a8b4b952154aa67be65d29ef0bac156d /core/modules/file/src/FileAccessControlHandler.php | |
| parent | d3f8b78c008bc115b8cd0a035f60ab7c6f47c3a4 (diff) | |
| download | drupal-8f3f79ad34fcdc6db7b5bbb34f083a103ca4502c.tar.gz drupal-8f3f79ad34fcdc6db7b5bbb34f083a103ca4502c.zip | |
Issue #2304969 by pwolanin, cilefen, Berdir, Devin Carlson, klausi: Fixed Port private files access bypass from SA-CORE-2014-003.
Diffstat (limited to 'core/modules/file/src/FileAccessControlHandler.php')
| -rw-r--r-- | core/modules/file/src/FileAccessControlHandler.php | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/core/modules/file/src/FileAccessControlHandler.php b/core/modules/file/src/FileAccessControlHandler.php index c6183dae406e..2e336af56015 100644 --- a/core/modules/file/src/FileAccessControlHandler.php +++ b/core/modules/file/src/FileAccessControlHandler.php @@ -23,18 +23,26 @@ class FileAccessControlHandler extends EntityAccessControlHandler { */ protected function checkAccess(EntityInterface $entity, $operation, $langcode, AccountInterface $account) { - if ($operation == 'download') { - foreach ($this->getFileReferences($entity) as $field_name => $entity_map) { - foreach ($entity_map as $referencing_entity_type => $referencing_entities) { - /** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */ - foreach ($referencing_entities as $referencing_entity) { - $entity_and_field_access = $referencing_entity->access('view', $account, TRUE)->andIf($referencing_entity->$field_name->access('view', $account, TRUE)); - if ($entity_and_field_access->isAllowed()) { - return $entity_and_field_access; + if ($operation == 'download' || $operation == 'view') { + $references = $this->getFileReferences($entity); + if ($references) { + foreach ($references as $field_name => $entity_map) { + foreach ($entity_map as $referencing_entity_type => $referencing_entities) { + /** @var \Drupal\Core\Entity\EntityInterface $referencing_entity */ + foreach ($referencing_entities as $referencing_entity) { + $entity_and_field_access = $referencing_entity->access('view', $account, TRUE)->andIf($referencing_entity->$field_name->access('view', $account, TRUE)); + if ($entity_and_field_access->isAllowed()) { + return $entity_and_field_access; + } } } } } + elseif ($entity->getOwnerId() == $account->id()) { + // This case handles new nodes, or detached files. The user who uploaded + // the file can always access if it's not yet used. + return AccessResult::allowed(); + } } // No opinion. |