Drupal should not check to see if a user has permission to view published nodes when they are uploading a managed file. That file could be on a term, a user, or anywhere else in the Drupal system - having nothing at all to do with viewing content that has been published.
In the file module, the AJAX callbacks look like this.
$items['file/ajax'] = array(
'page callback' => 'file_ajax_upload',
'delivery callback' => 'ajax_deliver',
'access arguments' => array('access content'),
'theme callback' => 'ajax_base_page_theme',
'type' => MENU_CALLBACK,
);
$items['file/progress'] = array(
'page callback' => 'file_ajax_progress',
'access arguments' => array('access content'),
'theme callback' => 'ajax_base_page_theme',
'type' => MENU_CALLBACK,
);They need to look like this instead:
$items['file/ajax'] = array(
'page callback' => 'file_ajax_upload',
'delivery callback' => 'ajax_deliver',
'access callback' => TRUE,
'theme callback' => 'ajax_base_page_theme',
'type' => MENU_CALLBACK,
);
$items['file/progress'] = array(
'page callback' => 'file_ajax_progress',
'access callback' => TRUE,
'theme callback' => 'ajax_base_page_theme',
'type' => MENU_CALLBACK,
);If we are using file entities in Drupal 8 then this bug is limited to Drupal 7.
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| drupal-file_ajax_improperly_checks_access.patch | 740 bytes | Idle | PASSED: [[SimpleTest]]: [MySQL] 39,928 pass(es). | View details | Re-test |
