Contrib.social

Upload Widgets do not have any access-check

Open on Drupal.org β†’
Created on 2 April 2019, about 5 years ago
Updated 8 December 2023, 7 months ago

Problem/Motivation

While working on #3045280 β†’ I also checked the MediaImageUpload-Widget & Upload-Widget, and found that there is no access-check at all.
I think the widgets should only be used when the user has the permission to create files or media-entities .

In the moment any user with the permission access 'image_browser entity browser pages' will be able to upload images, even when he is not allowd to create new entities.

Proposed resolution

Add access-check to the Widget-classes
'create 'MEDIA_TYPE media' for MediaImageUpload

Remaining tasks

Are more permissions needed?
Add the access check
tests

User interface changes

NONE

API changes

NONE

Data model changes

NONE

Release notes snippet

πŸ› Bug report
Status

RTBC

Version

2.0

Component

Widget plugins

Created by

πŸ‡©πŸ‡ͺGermany mmbk Meißen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 9 months ago β†’
    tlo405

    I added the upload widget to a custom entity browser that I'm using. However, I noticed users were still able to view that tab when the entity browser was open (even though they did not have the permission to view it). The patch in #8 did fix the problem for me.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States Dave Reid Nebraska πŸ‡ΊπŸ‡Έ

    I do agree that I'm not sure this makes sense to do given that core doesn't have any access API around file entities, but the change to MediaImageUpload *does* seem reasonable to me since media entities do have a full access API.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024