From c6004f0a00ff0e7a118fb37e7ef529a2d72fe5bc Mon Sep 17 00:00:00 2001
From: Brian Canini <canini.16@osu.edu>
Date: Wed, 21 Aug 2019 11:47:38 -0400
Subject: [PATCH] new patch

- https://www.drupal.org/project/drupal/issues/2949017
- Allows user/1 to delete or update file entities created by other users
---
 composer.json                                          | 3 ++-
 vendor/composer/installed.json                         | 3 ++-
 web/core/PATCHES.txt                                   | 4 ++++
 web/core/modules/file/src/FileAccessControlHandler.php | 4 ++--
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/composer.json b/composer.json
index a3beb42004..19fb2a3e41 100644
--- a/composer.json
+++ b/composer.json
@@ -266,7 +266,8 @@
         },
         "patches": {
             "drupal/core": {
-              "2799049": "patches/role_based_email_access-2799049-d87.patch"
+              "2799049": "patches/role_based_email_access-2799049-d87.patch",
+              "2949017": "https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch"
             },
             "drupal/better_exposed_filters": {
               "2961022": "https://www.drupal.org/files/issues/2018-09-27/better_exposed_filters-autosubmit-fix-2961022-4.patch"
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
index 6c658fe890..3e427e11f3 100644
--- a/vendor/composer/installed.json
+++ b/vendor/composer/installed.json
@@ -3752,7 +3752,8 @@
                 "merge-extra": false
             },
             "patches_applied": {
-                "2799049": "patches/role_based_email_access-2799049-d87.patch"
+                "2799049": "patches/role_based_email_access-2799049-d87.patch",
+                "2949017": "https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch"
             }
         },
         "installation-source": "dist",
diff --git a/web/core/PATCHES.txt b/web/core/PATCHES.txt
index c1b9dd1688..1df5279463 100644
--- a/web/core/PATCHES.txt
+++ b/web/core/PATCHES.txt
@@ -5,3 +5,7 @@ Patches applied to this directory:
 Source: patches/role_based_email_access-2799049-d87.patch
 
 
+2949017
+Source: https://www.drupal.org/files/issues/2018-09-19/allow-uid-1-to-delete-2949017-36-3.patch
+
+
diff --git a/web/core/modules/file/src/FileAccessControlHandler.php b/web/core/modules/file/src/FileAccessControlHandler.php
index 1e6768da64..8acf85eda1 100644
--- a/web/core/modules/file/src/FileAccessControlHandler.php
+++ b/web/core/modules/file/src/FileAccessControlHandler.php
@@ -64,8 +64,8 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
     if ($operation == 'delete' || $operation == 'update') {
       $account = $this->prepareUser($account);
       $file_uid = $entity->get('uid')->getValue();
-      // Only the file owner can update or delete the file entity.
-      if ($account->id() == $file_uid[0]['target_id']) {
+      // Only the file owner or UID 1 can update or delete the file entity.
+      if ($account->id() == $file_uid[0]['target_id'] || $account->id() == 1) {
         return AccessResult::allowed();
       }
       return AccessResult::forbidden('Only the file owner can update or delete the file entity.');
-- 
GitLab