Block content permissions required to select or upload new Media with media library when using Layout Builder

✨ Add more granular block content permissions Fixed Would have resolved this. You just need the ability to edit the block content type the media is attached to now. This used to require administer blocks, but no longer does.

While we can use the create * block content permissions to get around this, it's a bit strange because a role doesn't need any of these permissions to actually manage block content inside layout builder at all.

This means we need to give roles create permissions for blocks they can create in layout builder, only for media library access. But then they'd have access to create them via block/add/foo as well? Leaning on the side of reopening this one.

Yeah, you also need "access block library" which again may not be desirable.

I agree with #31 here.

Our particular use case is that we only want a higher echelon of users to be able to create / edit / delete reusable blocks (due to how far-reaching their usage might be), while allowing lower users to manage inline blocks.

As it stands, even with contrib module helpers, users still seem to need create permission on the block type in order to use the media library for inline blocks. This comes with the nasty side-effect of allowing them to create reusable blocks as well.

I also agree with #31.

Content editors who should only interact with blocks via layout builder should not see the reusable blocks overview page or be able to create standalone reusable blocks from there.

We just stumbled upon a new variant of this bug (Drupal 10.1.7): Our users have the "administer blocks" permission, but not the new per content block permissions nor the "Access the Content blocks overview page" permission. Everything worked fine for them with Drupal 9. Since the update, they are not able to add media to a block anymore.

The error message which is logged when clicking on the "Insert" button in the media modal (no error shown to the user):

Path: [URL with many parameters]. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: The following permissions are required: 'create gallery_widget block content' AND 'access block library'. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/www/html/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

The change record → for the new permissions sounded as if they were optional, as long as users have the "administer blocks" permission. Now it seems, this has changed so that you do need the new permissions for adding media items to a block!?

ian.ssu → made their first commit to this issue’s fork.

I spent an entire day with the debugger trying to find an elegant solution to this issue. My conclusion is that LayoutBuilder InlineBlock, by adding the Reusable property to BlockContentEntity, creates a separation of concerns problem. This approach couples BlockContent to LayoutBuilder in ways that other modules, like MediaLibrary, shouldn't have to worry about. I've started considering extending BlockContentEntity for InlineBlock as a potential path toward a solution.

Unable to come up with a quick solution, I pivoted back to the workaround for Drupal 10.2.6
https://git.drupalcode.org/issue/drupal-3106315/-/compare/11.x...3106315...