From 436c2096c8ab16b506be81b49f643b1fe2821f48 Mon Sep 17 00:00:00 2001
From: ubcjohn <john.bratlien@ubc.ca>
Date: Mon, 31 Jul 2023 14:34:11 -0700
Subject: [PATCH] Add permission and check permission before serving private
 file

---
 ubc_media_entities/ubc_media_entities.module  | 35 +++++++++++++++++++
 .../ubc_media_entities.permissions.yml        |  6 +++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 ubc_media_entities/ubc_media_entities.module

diff --git a/ubc_media_entities/ubc_media_entities.module b/ubc_media_entities/ubc_media_entities.module
new file mode 100644
index 0000000..e01db2f
--- /dev/null
+++ b/ubc_media_entities/ubc_media_entities.module
@@ -0,0 +1,35 @@
+<?php
+
+use Drupal\Core\StreamWrapper\StreamWrapperManager;
+use Drupal\user\Entity\Role;
+
+/**
+ * Implements hook_file_download().
+ * https://www.chapterthree.com/blog/drupal-8-9-media-entities-private-files-and-broken-access-control
+ */
+function ubc_media_entities_file_download($uri) {
+  # Check if the file is coming from the private stream wrapper
+  if (StreamWrapperManager::getScheme($uri) == 'private') {
+
+    # 1: Block anonymous users.
+    if (Drupal::currentUser()->isAnonymous()) {
+      return -1;
+    }
+
+    # 2: The user does not have the permission "access private files".
+    if (!\Drupal::currentUser()->hasPermission('access private files')) {
+      return -1;
+    }
+  }
+
+  return NULL;
+}
+
+/**
+ * Implements hook_post_update_() to add permission to view private files
+ */
+function ubc_media_entities_post_update_grant_private_file_permission() {
+  $role_object = Role::load('authenticated');
+  $role_object->grantPermission('access private files');
+  $role_object->save();
+}
diff --git a/ubc_media_entities/ubc_media_entities.permissions.yml b/ubc_media_entities/ubc_media_entities.permissions.yml
index 1ee6e9d..e690ac9 100644
--- a/ubc_media_entities/ubc_media_entities.permissions.yml
+++ b/ubc_media_entities/ubc_media_entities.permissions.yml
@@ -1,3 +1,7 @@
+access private files:
+  title: 'Access private files'
+  description: 'View privately stored files from their direct URL path'
+  restrict access: TRUE
 create file media:
   title: 'File: Create new media'
   description: ''
@@ -57,4 +61,4 @@ edit own private_file media:
 edit own svg_icon media:
   title: 'Svg Icon: Edit own media'
   description: ''
-  restrict access: TRUE
\ No newline at end of file
+  restrict access: TRUE