drupal/core/modules/file/file.api.php

<?php

/**
 * @file
 * Hooks for file module.
 */

/**
 * @defgroup file File interface
 * @{
 * Common file handling functions.
 *
 * @section file_security Uploading files and security considerations
 *
 * Using \Drupal\file\Element\ManagedFile field with a defined list of allowed
 * extensions is best way to provide a file upload field. It will ensure that:
 * - File names are sanitized by the FileUploadSanitizeNameEvent event.
 * - Files are validated by hook implementations of hook_file_validate().
 * - Files with insecure extensions will be blocked by default even if they are
 *   listed. If .txt is an allowed extension such files will be renamed.
 *
 * The \Drupal\Core\Render\Element\File field requires the developer to ensure
 * security concerns are taken care of. To do this, a developer should:
 * - Add the #upload_validators property to the form element. For example,
 * @code
 * $form['file_upload'] = [
 *   '#type' => 'file',
 *   '#title' => $this->t('Upload file'),
 *   '#upload_validators' => [
 *     'file_validate_extensions' => [
 *       'png gif jpg',
 *     ],
 *   ],
 * ];
 * @endcode
 * - Use file_save_upload() to trigger the FileUploadSanitizeNameEvent event and
 *   hook_file_validate().
 *
 * Important considerations, regardless of the form element used:
 * - Always use and validate against a list of allowed extensions.
 * - If the configuration system.file:allow_insecure_uploads is set to TRUE
 *   then potentially insecure files will not be renamed. This setting is not
 *   recommended.
 *
 * @see https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html
 * @see \hook_file_validate()
 * @see file_save_upload()
 * @see \Drupal\Core\File\Event\FileUploadSanitizeNameEvent
 * @see \Drupal\system\EventSubscriber\SecurityFileUploadEventSubscriber
 * @see \Drupal\file\Element\ManagedFile
 * @see \Drupal\Core\Render\Element\File
 *
 * @}
 */

/**
 * @addtogroup hooks
 * @{
 */

/**
 * Check that files meet a given criteria.
 *
 * This hook lets modules perform additional validation on files. They're able
 * to report a failure by returning one or more error messages.
 *
 * @param \Drupal\file\FileInterface $file
 *   The file entity being validated.
 *
 * @return array
 *   An array of error messages. If there are no problems with the file return
 *   an empty array.
 *
 * @see file_validate()
 */
function hook_file_validate(\Drupal\file\FileInterface $file) {
  $errors = [];

  if (!$file->getFilename()) {
    $errors[] = t("The file's name is empty. Please give a name to the file.");
  }
  if (strlen($file->getFilename()) > 255) {
    $errors[] = t("The file's name exceeds the 255 characters limit. Please rename the file and try again.");
  }

  return $errors;
}

/**
 * Respond to a file that has been copied.
 *
 * @param \Drupal\file\FileInterface $file
 *   The newly copied file entity.
 * @param \Drupal\file\FileInterface $source
 *   The original file before the copy.
 *
 * @see \Drupal\file\FileRepositoryInterface::copy()
 */
function hook_file_copy(\Drupal\file\FileInterface $file, \Drupal\file\FileInterface $source) {
  // Make sure that the file name starts with the owner's user name.
  if (strpos($file->getFilename(), $file->getOwner()->name) !== 0) {
    $file->setFilename($file->getOwner()->name . '_' . $file->getFilename());
    $file->save();

    \Drupal::logger('file')->notice('Copied file %source has been renamed to %destination', ['%source' => $source->filename, '%destination' => $file->getFilename()]);
  }
}

/**
 * Respond to a file that has been moved.
 *
 * @param \Drupal\file\FileInterface $file
 *   The updated file entity after the move.
 * @param \Drupal\file\FileInterface $source
 *   The original file entity before the move.
 *
 * @see \Drupal\file\FileRepositoryInterface::move()
 */
function hook_file_move(\Drupal\file\FileInterface $file, \Drupal\file\FileInterface $source) {
  // Make sure that the file name starts with the owner's user name.
  if (strpos($file->getFilename(), $file->getOwner()->name) !== 0) {
    $file->setFilename($file->getOwner()->name . '_' . $file->getFilename());
    $file->save();

    \Drupal::logger('file')->notice('Moved file %source has been renamed to %destination', ['%source' => $source->filename, '%destination' => $file->getFilename()]);
  }
}

/**
 * @} End of "addtogroup hooks".
 */
#846296 by Berdir, ridgerunner, agentrickard: Fixed file_file_download() only implements access checks for nodes and users. 2010-08-23 14:53:50 +00:00			`<?php`

			`/**`
			`* @file`
			`* Hooks for file module.`
			`*/`

Issue #3032390 by alexpott, dww, Pancho, 3CWebDev, kim.pepper, larowlan, Berdir, catch, andypost, chr.fritsch, Wim Leers: Add an event to sanitize filenames during upload 2021-02-24 16:02:18 +00:00			`/**`
Issue #3260766 by andypost: Remove deprecated file.inc and its mentions 2022-01-28 20:49:40 +00:00			`* @defgroup file File interface`
Issue #3032390 by alexpott, dww, Pancho, 3CWebDev, kim.pepper, larowlan, Berdir, catch, andypost, chr.fritsch, Wim Leers: Add an event to sanitize filenames during upload 2021-02-24 16:02:18 +00:00			`* @{`
Issue #3260766 by andypost: Remove deprecated file.inc and its mentions 2022-01-28 20:49:40 +00:00			`* Common file handling functions.`
			`*`
Issue #3032390 by alexpott, dww, Pancho, 3CWebDev, kim.pepper, larowlan, Berdir, catch, andypost, chr.fritsch, Wim Leers: Add an event to sanitize filenames during upload 2021-02-24 16:02:18 +00:00			`* @section file_security Uploading files and security considerations`
			`*`
			`* Using \Drupal\file\Element\ManagedFile field with a defined list of allowed`
			`* extensions is best way to provide a file upload field. It will ensure that:`
			`* - File names are sanitized by the FileUploadSanitizeNameEvent event.`
			`* - Files are validated by hook implementations of hook_file_validate().`
			`* - Files with insecure extensions will be blocked by default even if they are`
			`* listed. If .txt is an allowed extension such files will be renamed.`
			`*`
			`* The \Drupal\Core\Render\Element\File field requires the developer to ensure`
			`* security concerns are taken care of. To do this, a developer should:`
			`* - Add the #upload_validators property to the form element. For example,`
			`* @code`
			`* $form['file_upload'] = [`
			`* '#type' => 'file',`
			`* '#title' => $this->t('Upload file'),`
			`* '#upload_validators' => [`
			`* 'file_validate_extensions' => [`
			`* 'png gif jpg',`
			`* ],`
			`* ],`
			`* ];`
			`* @endcode`
			`* - Use file_save_upload() to trigger the FileUploadSanitizeNameEvent event and`
			`* hook_file_validate().`
			`*`
			`* Important considerations, regardless of the form element used:`
			`* - Always use and validate against a list of allowed extensions.`
			`* - If the configuration system.file:allow_insecure_uploads is set to TRUE`
			`* then potentially insecure files will not be renamed. This setting is not`
			`* recommended.`
			`*`
			`* @see https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html`
			`* @see \hook_file_validate()`
			`* @see file_save_upload()`
			`* @see \Drupal\Core\File\Event\FileUploadSanitizeNameEvent`
			`* @see \Drupal\system\EventSubscriber\SecurityFileUploadEventSubscriber`
			`* @see \Drupal\file\Element\ManagedFile`
			`* @see \Drupal\Core\Render\Element\File`
			`*`
			`* @}`
			`*/`

Issue #1253820 by yched, zserno, tim.plunkett, xjm, effulgentsia, plach: Fixed It's impossible to submit no value for a field that has a default value. 2013-01-16 17:37:23 +00:00			`/**`
Issue #2216535 by jhodgdon, Berdir: Replace Node overview topic and Node API topic with Entity Hooks topic. 2014-07-11 12:04:53 +00:00			`* @addtogroup hooks`
			`* @{`
Issue #1253820 by yched, zserno, tim.plunkett, xjm, effulgentsia, plach: Fixed It's impossible to submit no value for a field that has a default value. 2013-01-16 17:37:23 +00:00			`*/`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00
			`/**`
			`* Check that files meet a given criteria.`
			`*`
			`* This hook lets modules perform additional validation on files. They're able`
			`* to report a failure by returning one or more error messages.`
			`*`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`* @param \Drupal\file\FileInterface $file`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`* The file entity being validated.`
Issue #2937513 by eltori, longwave, klausi, catch, idebr: Fix 'Drupal.Commenting.DocComment.TagGroupSpacing' coding standard 2020-05-20 22:11:54 +00:00			`*`
Issue #1811858 by Mile23, deepakaryan1988: Add missing type hinting to File module docblocks 2015-06-12 14:46:25 +00:00			`* @return array`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`* An array of error messages. If there are no problems with the file return`
			`* an empty array.`
			`*`
			`* @see file_validate()`
			`*/`
Issue #2723621 by jofitz, mfernea, alexpott, abhisekmazumdar, neclimdul, snehi, Suresh Prabhu Parkala, ankithashetty, anmolgoyal74, anoopjohn, longwave, hgunicamp, empesan, kostyashupenko, Mile23, dawehner, idebr, daffie, catch: Fix Drupal.Commenting.FunctionComment.IncorrectTypeHint and Drupal.Commenting.FunctionComment.InvalidTypeHint 2021-02-20 13:24:51 +00:00			`function hook_file_validate(\Drupal\file\FileInterface $file) {`
Issue #2776975 by joelpittet, dawehner, tim.plunkett, xjm, pfrenssen: March 3, 2017: Convert core to array syntax coding standards for Drupal 8.3.x RC phase 2017-03-04 01:20:24 +00:00			`$errors = [];`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`if (!$file->getFilename()) {`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`$errors[] = t("The file's name is empty. Please give a name to the file.");`
			`}`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`if (strlen($file->getFilename()) > 255) {`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`$errors[] = t("The file's name exceeds the 255 characters limit. Please rename the file and try again.");`
			`}`

			`return $errors;`
			`}`

			`/**`
			`* Respond to a file that has been copied.`
			`*`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`* @param \Drupal\file\FileInterface $file`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`* The newly copied file entity.`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`* @param \Drupal\file\FileInterface $source`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`* The original file before the copy.`
			`*`
Issue #3223209 by kim.pepper, dww, yogeshmpawar, daffie, larowlan, Berdir, andypost, phenaproxima, brianV, alexpott, AjitS, ravi.shankar, catch, quietone, trobey, Dave Reid, JacobSingh, imclean, tim.plunkett, Kars-T, amateescu, JeremyFrench, aaron: deprecate file_save_data, file_copy and file_move and replace with a service 2021-10-25 01:01:32 +00:00			`* @see \Drupal\file\FileRepositoryInterface::copy()`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`*/`
Issue #2723621 by jofitz, mfernea, alexpott, abhisekmazumdar, neclimdul, snehi, Suresh Prabhu Parkala, ankithashetty, anmolgoyal74, anoopjohn, longwave, hgunicamp, empesan, kostyashupenko, Mile23, dawehner, idebr, daffie, catch: Fix Drupal.Commenting.FunctionComment.IncorrectTypeHint and Drupal.Commenting.FunctionComment.InvalidTypeHint 2021-02-20 13:24:51 +00:00			`function hook_file_copy(\Drupal\file\FileInterface $file, \Drupal\file\FileInterface $source) {`
Issue #1173322 by javier_: Add function bodies to file hook documentation 2012-11-27 15:35:31 +00:00			`// Make sure that the file name starts with the owner's user name.`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`if (strpos($file->getFilename(), $file->getOwner()->name) !== 0) {`
			`$file->setFilename($file->getOwner()->name . '_' . $file->getFilename());`
Issue #1173322 by javier_: Add function bodies to file hook documentation 2012-11-27 15:35:31 +00:00			`$file->save();`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00
Issue #2776975 by joelpittet, dawehner, tim.plunkett, xjm, pfrenssen: March 3, 2017: Convert core to array syntax coding standards for Drupal 8.3.x RC phase 2017-03-04 01:20:24 +00:00			`\Drupal::logger('file')->notice('Copied file %source has been renamed to %destination', ['%source' => $source->filename, '%destination' => $file->getFilename()]);`
Issue #1173322 by javier_: Add function bodies to file hook documentation 2012-11-27 15:35:31 +00:00			`}`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`}`

			`/**`
			`* Respond to a file that has been moved.`
			`*`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`* @param \Drupal\file\FileInterface $file`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`* The updated file entity after the move.`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`* @param \Drupal\file\FileInterface $source`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`* The original file entity before the move.`
			`*`
Issue #3223209 by kim.pepper, dww, yogeshmpawar, daffie, larowlan, Berdir, andypost, phenaproxima, brianV, alexpott, AjitS, ravi.shankar, catch, quietone, trobey, Dave Reid, JacobSingh, imclean, tim.plunkett, Kars-T, amateescu, JeremyFrench, aaron: deprecate file_save_data, file_copy and file_move and replace with a service 2021-10-25 01:01:32 +00:00			`* @see \Drupal\file\FileRepositoryInterface::move()`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`*/`
Issue #2723621 by jofitz, mfernea, alexpott, abhisekmazumdar, neclimdul, snehi, Suresh Prabhu Parkala, ankithashetty, anmolgoyal74, anoopjohn, longwave, hgunicamp, empesan, kostyashupenko, Mile23, dawehner, idebr, daffie, catch: Fix Drupal.Commenting.FunctionComment.IncorrectTypeHint and Drupal.Commenting.FunctionComment.InvalidTypeHint 2021-02-20 13:24:51 +00:00			`function hook_file_move(\Drupal\file\FileInterface $file, \Drupal\file\FileInterface $source) {`
Issue #1173322 by javier_: Add function bodies to file hook documentation 2012-11-27 15:35:31 +00:00			`// Make sure that the file name starts with the owner's user name.`
Issue #1818568 by Berdir, das-peter: Convert files to the new Entity Field API. 2013-06-15 08:46:11 +00:00			`if (strpos($file->getFilename(), $file->getOwner()->name) !== 0) {`
			`$file->setFilename($file->getOwner()->name . '_' . $file->getFilename());`
Issue #1173322 by javier_: Add function bodies to file hook documentation 2012-11-27 15:35:31 +00:00			`$file->save();`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00
Issue #2776975 by joelpittet, dawehner, tim.plunkett, xjm, pfrenssen: March 3, 2017: Convert core to array syntax coding standards for Drupal 8.3.x RC phase 2017-03-04 01:20:24 +00:00			`\Drupal::logger('file')->notice('Moved file %source has been renamed to %destination', ['%source' => $source->filename, '%destination' => $file->getFilename()]);`
Issue #1173322 by javier_: Add function bodies to file hook documentation 2012-11-27 15:35:31 +00:00			`}`
Issue #1468328 by Berdir: Move file entity info, managed file, and file usage functionality into File module. 2012-08-31 01:27:21 +00:00			`}`

Issue #2216535 by jhodgdon, Berdir: Replace Node overview topic and Node API topic with Entity Hooks topic. 2014-07-11 12:04:53 +00:00			`/**`
			`* @} End of "addtogroup hooks".`
			`*/`