Contrib.social

Upload Widgets do not have any access-check

Open on Drupal.org β†’
Created on 2 April 2019, about 6 years ago
Updated 11 August 2024, 8 months ago

Problem/Motivation

While working on #3045280 β†’ I also checked the MediaImageUpload-Widget & Upload-Widget, and found that there is no access-check at all.
I think the widgets should only be used when the user has the permission to create files or media-entities .

In the moment any user with the permission access 'image_browser entity browser pages' will be able to upload images, even when he is not allowd to create new entities.

Proposed resolution

Add access-check to the Widget-classes
'create 'MEDIA_TYPE media' for MediaImageUpload

Remaining tasks

Are more permissions needed?
Add the access check
tests

User interface changes

NONE

API changes

NONE

Data model changes

NONE

Release notes snippet

πŸ› Bug report
Status

Needs work

Version

2.0

Component

Widget plugins

Created by

πŸ‡©πŸ‡ͺGermany mmbk Meißen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    tlo405

    I added the upload widget to a custom entity browser that I'm using. However, I noticed users were still able to view that tab when the entity browser was open (even though they did not have the permission to view it). The patch in #8 did fix the problem for me.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dave reid Nebraska USA

    I do agree that I'm not sure this makes sense to do given that core doesn't have any access API around file entities, but the change to MediaImageUpload *does* seem reasonable to me since media entities do have a full access API.

  • Status changed to Needs work 8 months ago
  • Comment 8 months ago β†’
    πŸ‡¨πŸ‡­Switzerland berdir Switzerland

    Needs to be a merge request now. I'd prefer to focus just on media entities here, as discussed before, file entities simply don't have that concept, and I'm not sure why we should respect an API that core doesn't use.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024