Add file create access check for HAX, update README, and update code …

…on file uploads for D8.

README.md

@@ -43,7 +43,9 @@ This should give you the dependencies you need to get going.
 2. Go to the permissions page to ensure users have the 'use hax' permission
    checked. Once this is checked then people will start to see a 'HAX Authoring'
    local menu item / tab / contextual option show up when they have access to
-   edit a node.
+   edit a node. If you want users to be able to upload files, grant the
+   'Upload files via HAX editor' permission.
+
 NOTE on Text Formats: HAX is designed to work with nodes with bodies in the
 default Full HTML format where "Limit allowed HTML tags and correct faulty HTML"
 is unchecked, or with formats with similarly permissive settings. For this

hax.module

@@ -88,8 +88,8 @@ function hax_hax_app_store() {
 
   }
   $json = $hax->loadBaseAppStore($apikeys);
-  // pull in the core ones we supply
-  if (\Drupal::moduleHandler()->moduleExists('file_entity') && \Drupal::moduleHandler()->moduleExists('rest')) {
+  // Pull in the core ones we supply.
+  if (\Drupal::moduleHandler()->moduleExists('file')) {
     $tmp = json_decode(_hax_site_connection());
     array_push($json, $tmp);
   }

hax.permissions.yml

@@ -1,3 +1,6 @@
 'use hax':
   title: 'Use HAX editor'
   description: 'Advanced authoring experience that is pulled in from hax capable web components.'
+'upload files via hax':
+  title: 'Upload files via HAX editor'
+  description: 'Allow HAX users to upload files'

src/Controller/HaxModeController.php

@@ -10,6 +10,8 @@
 use Drupal\Core\Access\AccessResult;
 use Symfony\Component\HttpFoundation\Response;
 
+use Drupal\file;
+
 /**
  * Defines a controller to render a single node in HAX Mode.
  */
@@ -107,8 +109,9 @@ public function _hax_node_save(\Drupal\node\NodeInterface $node, $token) {
    * Permission + File access check.
    */
   public function _hax_file_access($op) {
-    // FIXME entity_access bit in next line needs to be updated for D8
-    if (\Drupal::currentUser()->hasPermission('use hax') && entity_access('create', 'file', $_FILES['file-upload']['type'])) {
+    // Ensure there are entity permissions to create a file via HAX.
+    // See https://www.drupal.org/project/hax/issues/2962055#comment-12617576
+    if (\Drupal::currentUser()->hasPermission('use hax') && \Drupal::currentUser()->hasPermission('upload files via hax')) {
       return AccessResult::allowed();
     }
     return AccessResult::forbidden();
@@ -121,10 +124,10 @@ public function _hax_file_save($token) {
     $status = 403;
     $return = '';
 
-    // check for the uploaded file from our 1-page-uploader app
-    // and ensure there are entity permissions to create a file of this type
-    // FIXME entity_access bit in next line needs to be updated for D8
-    if (\Drupal::csrfToken()->validate($token) && isset($_FILES['file-upload']) && entity_access('create', 'file', $_FILES['file-upload']['type'])) {
+    // Check for the uploaded file from our 1-page-uploader app
+    // and ensure there are entity permissions to create a file via HAX.
+    // See https://www.drupal.org/project/hax/issues/2962055#comment-12617576
+    if (\Drupal::csrfToken()->validate($token) && \Drupal::currentUser()->hasPermission('upload files via hax') && isset($_FILES['file-upload'])) {
       $upload = $_FILES['file-upload'];
       // check for a file upload
       if (isset($upload['tmp_name']) && is_uploaded_file($upload['tmp_name'])) {
@@ -140,8 +143,8 @@ public function _hax_file_save($token) {
         }
         // see if Drupal can load from this data source
         if ($file = file_save_data($data, $file_wrapper . '://' . $upload['name'])) {
-          file_save($file);
-          $file->url = file_create_url($file->uri);
+          $file->save();
+          $file->url = file_create_url($file->getFileUri());
           $return = ['file' => $file];
           $status = 200;
         }