diff --git a/composer.json b/composer.json
index d5ddc48151aeecea243cad5099eacb9d5d3716a3..3da90819555c1f7c66e2c4bb04af19e0937f0fb4 100644
--- a/composer.json
+++ b/composer.json
@@ -271,7 +271,7 @@
         "patches": {
             "drupal/core": {
                 "2799049": "patches/role_based_email_access-2799049-d87.patch",
-                "2949017": "https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch"
+                "2949017": "https://www.drupal.org/files/issues/2019-12-12/2949017-59.patch"
             },
             "drupal/better_exposed_filters": {
                 "2961022": "https://www.drupal.org/files/issues/2018-09-27/better_exposed_filters-autosubmit-fix-2961022-4.patch"
@@ -312,4 +312,4 @@
             "php": "7.0.8"
         }
     }
-}
\ No newline at end of file
+}
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
index 5de745637e6a974303fb07bf79004205f7632d1d..73859a47335fc87b1c68f631c3ac91d62152dba4 100644
--- a/vendor/composer/installed.json
+++ b/vendor/composer/installed.json
@@ -3701,7 +3701,7 @@
             },
             "patches_applied": {
                 "2799049": "patches/role_based_email_access-2799049-d87.patch",
-                "2949017": "https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch"
+                "2949017": "https://www.drupal.org/files/issues/2019-12-12/2949017-59.patch"
             }
         },
         "installation-source": "dist",
diff --git a/web/core/PATCHES.txt b/web/core/PATCHES.txt
index 1df527946397999762989a1f413ce08e0bd13528..cafe50e4be6b3180469bc15f9400e2c5adfc3966 100644
--- a/web/core/PATCHES.txt
+++ b/web/core/PATCHES.txt
@@ -6,6 +6,6 @@ Source: patches/role_based_email_access-2799049-d87.patch
 
 
 2949017
-Source: https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch
+Source: https://www.drupal.org/files/issues/2019-12-12/2949017-59.patch
 
 
diff --git a/web/core/modules/file/file.permissions.yml b/web/core/modules/file/file.permissions.yml
index 8575f20806b968afd8533a6e50061d068358480e..9103b2ed3cd37099663904b849c8e40fdc5b0112 100644
--- a/web/core/modules/file/file.permissions.yml
+++ b/web/core/modules/file/file.permissions.yml
@@ -1,2 +1,6 @@
 access files overview:
   title: 'Access the Files overview page'
+
+delete any files:
+  title: 'Delete any files'
+  restrict access: true
diff --git a/web/core/modules/file/src/FileAccessControlHandler.php b/web/core/modules/file/src/FileAccessControlHandler.php
index 5d6223030986a045d3d30895a4aa81977c724bff..10c5737991f9185c4e0da6452c40a3940392f398 100644
--- a/web/core/modules/file/src/FileAccessControlHandler.php
+++ b/web/core/modules/file/src/FileAccessControlHandler.php
@@ -63,9 +63,15 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
 
     if ($operation == 'delete' || $operation == 'update') {
       $account = $this->prepareUser($account);
+
+      // Elevated permission to delete any files.
+      if ($operation === 'delete' && $account->hasPermission('delete any files')) {
+        return AccessResult::allowed();
+      }
+
+      // Otherwise, only the file owner can update or delete the file entity.
       $file_uid = $entity->get('uid')->getValue();
-      // Only the file owner or UID 1 can update or delete the file entity.
-      if ($account->id() == $file_uid[0]['target_id'] || $account->id() == 1) {
+      if ($account->id() == $file_uid[0]['target_id']) {
         return AccessResult::allowed();
       }
       return AccessResult::forbidden('Only the file owner can update or delete the file entity.');