From 527e0887b70f4fbc4937b200d1d97d9fe7dcd309 Mon Sep 17 00:00:00 2001
From: Brian Canini <canini.16@osu.edu>
Date: Mon, 24 Feb 2020 13:36:26 -0500
Subject: [PATCH] applying patch
- creates a permission for users types to delete files
---
composer.json | 4 ++--
vendor/composer/installed.json | 2 +-
web/core/PATCHES.txt | 2 +-
web/core/modules/file/file.permissions.yml | 4 ++++
web/core/modules/file/src/FileAccessControlHandler.php | 10 ++++++++--
5 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/composer.json b/composer.json
index d5ddc48151..3da9081955 100644
--- a/composer.json
+++ b/composer.json
@@ -271,7 +271,7 @@
"patches": {
"drupal/core": {
"2799049": "patches/role_based_email_access-2799049-d87.patch",
- "2949017": "https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch"
+ "2949017": "https://www.drupal.org/files/issues/2019-12-12/2949017-59.patch"
},
"drupal/better_exposed_filters": {
"2961022": "https://www.drupal.org/files/issues/2018-09-27/better_exposed_filters-autosubmit-fix-2961022-4.patch"
@@ -312,4 +312,4 @@
"php": "7.0.8"
}
}
-}
\ No newline at end of file
+}
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
index 5de745637e..73859a4733 100644
--- a/vendor/composer/installed.json
+++ b/vendor/composer/installed.json
@@ -3701,7 +3701,7 @@
},
"patches_applied": {
"2799049": "patches/role_based_email_access-2799049-d87.patch",
- "2949017": "https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch"
+ "2949017": "https://www.drupal.org/files/issues/2019-12-12/2949017-59.patch"
}
},
"installation-source": "dist",
diff --git a/web/core/PATCHES.txt b/web/core/PATCHES.txt
index 1df5279463..cafe50e4be 100644
--- a/web/core/PATCHES.txt
+++ b/web/core/PATCHES.txt
@@ -6,6 +6,6 @@ Source: patches/role_based_email_access-2799049-d87.patch
2949017
-Source: https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch
+Source: https://www.drupal.org/files/issues/2019-12-12/2949017-59.patch
diff --git a/web/core/modules/file/file.permissions.yml b/web/core/modules/file/file.permissions.yml
index 8575f20806..9103b2ed3c 100644
--- a/web/core/modules/file/file.permissions.yml
+++ b/web/core/modules/file/file.permissions.yml
@@ -1,2 +1,6 @@
access files overview:
title: 'Access the Files overview page'
+
+delete any files:
+ title: 'Delete any files'
+ restrict access: true
diff --git a/web/core/modules/file/src/FileAccessControlHandler.php b/web/core/modules/file/src/FileAccessControlHandler.php
index 5d62230309..10c5737991 100644
--- a/web/core/modules/file/src/FileAccessControlHandler.php
+++ b/web/core/modules/file/src/FileAccessControlHandler.php
@@ -63,9 +63,15 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
if ($operation == 'delete' || $operation == 'update') {
$account = $this->prepareUser($account);
+
+ // Elevated permission to delete any files.
+ if ($operation === 'delete' && $account->hasPermission('delete any files')) {
+ return AccessResult::allowed();
+ }
+
+ // Otherwise, only the file owner can update or delete the file entity.
$file_uid = $entity->get('uid')->getValue();
- // Only the file owner or UID 1 can update or delete the file entity.
- if ($account->id() == $file_uid[0]['target_id'] || $account->id() == 1) {
+ if ($account->id() == $file_uid[0]['target_id']) {
return AccessResult::allowed();
}
return AccessResult::forbidden('Only the file owner can update or delete the file entity.');
--
GitLab