X-Git-Url: http://aleph1.co.uk/gitweb/?a=blobdiff_plain;f=web%2Fcore%2Fmodules%2Ffile%2Fsrc%2FFileAccessControlHandler.php;h=1e6768da645910d8026be13b98e44ce54e51dde9;hb=5b8bb166bfa98770daef9de5c127fc2e6ef02340;hp=f4bda3cb7d266490ec216fe5c75bf62ff9991a1c;hpb=a2bd1bf0c2c1f1a17d188f4dc0726a45494cefae;p=yaffs-website

diff --git a/web/core/modules/file/src/FileAccessControlHandler.php b/web/core/modules/file/src/FileAccessControlHandler.php
index f4bda3cb7..1e6768da6 100644
--- a/web/core/modules/file/src/FileAccessControlHandler.php
+++ b/web/core/modules/file/src/FileAccessControlHandler.php
@@ -22,8 +22,12 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
     /** @var \Drupal\file\FileInterface $entity */
     if ($operation == 'download' || $operation == 'view') {
       if (\Drupal::service('file_system')->uriScheme($entity->getFileUri()) === 'public') {
-        // Always allow access to file in public file system.
-        return AccessResult::allowed();
+        if ($operation === 'download') {
+          return AccessResult::allowed();
+        }
+        else {
+          return AccessResult::allowedIfHasPermission($account, 'access content');
+        }
       }
       elseif ($references = $this->getFileReferences($entity)) {
         foreach ($references as $field_name => $entity_map) {
@@ -48,11 +52,11 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
           //   services can be more properly injected.
           $allowed_fids = \Drupal::service('session')->get('anonymous_allowed_file_ids', []);
           if (!empty($allowed_fids[$entity->id()])) {
-            return AccessResult::allowed();
+            return AccessResult::allowed()->addCacheContexts(['session', 'user']);
           }
         }
         else {
-          return AccessResult::allowed();
+          return AccessResult::allowed()->addCacheContexts(['user']);
         }
       }
     }
@@ -60,11 +64,11 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
     if ($operation == 'delete' || $operation == 'update') {
       $account = $this->prepareUser($account);
       $file_uid = $entity->get('uid')->getValue();
-      // Only the file owner can delete and update the file entity.
+      // Only the file owner can update or delete the file entity.
       if ($account->id() == $file_uid[0]['target_id']) {
         return AccessResult::allowed();
       }
-      return AccessResult::forbidden();
+      return AccessResult::forbidden('Only the file owner can update or delete the file entity.');
     }
 
     // No opinion.
@@ -123,8 +127,6 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
     // create file entities that are referenced from another entity
     // (e.g. an image for a article). A contributed module is free to alter
     // this to allow file entities to be created directly.
-    // @todo Update comment to mention REST module when
-    //   https://www.drupal.org/node/1927648 is fixed.
     return AccessResult::neutral();
   }