Media Library image style shouldn't be able to be deleted through the UI.

Comment 12 months ago →
🇦🇺Australia amjad1233 Brisbane
I couldn't find a button on the UI to delete the task. But when I navigated to `***/delete` manually, it did delete the task. However, two observations were made:
1. Even after deletion, it asked for a "Replacement Image Style". Why couldn't it be removed in the first place?
2. There's a very slim chance someone can delete the task outside of the UI.
- In any case, it does not sound like a bug. (in my opinion)
Comment 12 months ago →
🇦🇺Australia acbramley
I actually think this is a bug, and it's not just super users that can bypass this access check.

The problem is that all image style entity routes don't have _entity_access requirements, rather they're just checking for a permission.

entity.image_style.delete_form: path: '/admin/config/media/image-styles/manage/{image_style}/delete' defaults: _entity_form: 'image_style.delete' _title: 'Delete' requirements: _permission: 'administer image styles'
Since user 1 has all permissions, it gets access, but also any role with administer image styles would have access
Status changed to Needs review 12 months ago12:27am 11 July 2023
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update 12 months ago
29,806 pass
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update 12 months ago
29,805 pass, 2 fail
Comment 12 months ago →
🇦🇺Australia acbramley
Here's a red/green combo (providing the fix doesn't break anything else) to prove it.

Moved the test from Kernel -> Functional so we have one place to do API based and UI based access checks.
Comment 12 months ago →
System Message
The last submitted patch, 11: 3079235-11-failing-test.patch, failed testing. View results →
Status changed to RTBC 12 months ago5:53am 11 July 2023
Comment 12 months ago →
🇮🇳India keshav.k
I have applied the #11 pass patch and confirmed that it is working perfectly.

lauriii → committed af3a8ef5 on 11.x

Issue #3079235 by acbramley, amjad1233, keshav.k, oknate: Media Library...

Status changed to Fixed 12 months ago7:01am 11 July 2023
Comment 12 months ago →
🇫🇮Finland lauriii Finland
Committed af3a8ef and pushed to 11.x. Thanks!
Comment 12 months ago →
🇦🇺Australia acbramley
Oh wow didn't expect that, thanks! I wonder if we should do follow ups for the other image style routes? Edit and create both use the permission as well as image effects
Comment 12 months ago →
🇫🇮Finland lauriii Finland
Seems fine to have a follow-up for that. I was thinking of asking for those changes here but thought it would be nice to land this for delete route first because it had some pre-existing tests in Media Library.
Comment 12 months ago →
🇦🇺Australia acbramley
Definitely makes sense, opened 🐛 Image style routes use _permission requirement instead of _entity_access Needs work
Comment 11 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

Media Library image style shouldn't be able to be deleted through the UI.

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comments & Activities