From ec8b4f8c48bd436c82ca8ab9dec4d0a49016864f Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Tue, 8 May 2018 00:25:49 +0100
Subject: [PATCH] Issue #2950127 by owenbush, Yogesh Pawar, msankhala, Wim
 Leers, vaplas: Add helpful reason for 'update' and 'delete' access not being
 allowed to FileAccessControlHandler

---
 core/modules/file/src/FileAccessControlHandler.php            | 4 ++--
 .../Functional/EntityResource/File/FileResourceTestBase.php   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/core/modules/file/src/FileAccessControlHandler.php b/core/modules/file/src/FileAccessControlHandler.php
index 07f9cecc92ed..3c26b1da7f7c 100644
--- a/core/modules/file/src/FileAccessControlHandler.php
+++ b/core/modules/file/src/FileAccessControlHandler.php
@@ -64,11 +64,11 @@ class FileAccessControlHandler extends EntityAccessControlHandler {
     if ($operation == 'delete' || $operation == 'update') {
       $account = $this->prepareUser($account);
       $file_uid = $entity->get('uid')->getValue();
-      // Only the file owner can delete and update the file entity.
+      // Only the file owner can update or delete the file entity.
       if ($account->id() == $file_uid[0]['target_id']) {
         return AccessResult::allowed();
       }
-      return AccessResult::forbidden();
+      return AccessResult::forbidden('Only the file owner can update or delete the file entity.');
     }
 
     // No opinion.
diff --git a/core/modules/rest/tests/src/Functional/EntityResource/File/FileResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/File/FileResourceTestBase.php
index 267f45321ea1..0ccf2ecdae1e 100644
--- a/core/modules/rest/tests/src/Functional/EntityResource/File/FileResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/EntityResource/File/FileResourceTestBase.php
@@ -224,8 +224,8 @@ abstract class FileResourceTestBase extends EntityResourceTestBase {
     if ($method === 'GET') {
       return "The 'access content' permission is required.";
     }
-    if ($method === 'PATCH') {
-      return 'You are not authorized to update this file entity.';
+    if ($method === 'PATCH' || $method === 'DELETE') {
+      return 'Only the file owner can update or delete the file entity.';
     }
     return parent::getExpectedUnauthorizedAccessMessage($method);
   }