Contrib.social

Referencing new media requires "administer media" permission

Open on Drupal.org β†’
Created on 3 February 2020, almost 5 years ago
Updated 23 March 2024, 10 months ago

Problem/Motivation

Entity configuration:

  1. Install Inline Entity Form
  2. Create a media entity bundle "Media Test"
  3. Add a media reference field to a content type to reference "Media Test" only
  4. Select "Create referenced entities if they don't already exist"
  5. Under "Manage form display" set the widget to "Inline entity form - Simple"

User configuration:

  1. Add a new user
  2. Set relevant permissions for creating the content type and entity type
  3. Set relevant permissions for viewing unpublished and editing the entity types
  4. Do not select "administer media"

Log in as the new user and try to create a new page with reference media. The following error is displayed:

This entity (media: media_test) cannot be referenced.

See Drupal\media\Plugin\EntityReferenceSelection\MediaSelection:

  /**
   * {@inheritdoc}
   */
  public function validateReferenceableNewEntities(array $entities) {
    $entities = parent::validateReferenceableNewEntities($entities);
    // Mirror the conditions checked in buildEntityQuery().
    if (!$this->currentUser->hasPermission('administer media')) {
      $entities = array_filter($entities, function ($media) {
        /** @var \Drupal\media\MediaInterface $media */
        return $media->isPublished();
      });
    }
    return $entities;
  }

Giving the user the permission "administer media" allows the node and referenced media entity to be created. I think it would be preferable for this permission to not be required.

Proposed resolution

Unsure, maybe another permission to check when the user doesn't have "administer media" permission.

Remaining tasks

Either resolve the issue or explain why it's desirable to keep the current behaviour.

User interface changes

None.

API changes

Unsure.

Data model changes

None.

πŸ› Bug report
Status

Needs review

Version

11.0 πŸ”₯

Component
MediaΒ  β†’

Last updated about 7 hours ago

Created by

πŸ‡¦πŸ‡ΊAustralia imclean Tasmania

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 10 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States daniel korte Brooklyn, NY

    I’m changing this to a Bug Report since I would expect this behavior from the view own unpublished media permission, but let me know if I’m wrong here.

    I cleaned things up and addressed comment #12 concerns. Also, I noticed the existing patches don’t apply to the Media Library Grid/Table Widget which also has this issue. I updated the Views config to mirror what is being used on the Media Library admin page with the media_status plugin. Everything appears to be working with the view own unpublished media permission now.

  • Status changed to Needs work 10 months ago
  • Comment 10 months ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue.

    While you are making the above changes, we recommend that you convert this patch to a merge request β†’ . Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

  • Status changed to Needs review 10 months ago
  • Comment 10 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States daniel korte Brooklyn, NY
  • Merge request !7167Fix media selection with the 'view own unpublished media' permission β†’ (Open) created by daniel korte
  • Pipeline finished with Failed
    10 months ago
    Total: 189s
    #126799
  • Status changed to Needs work 10 months ago
  • Comment 10 months ago β†’
    needs-review-queue-bot

    The Needs Review Queue Bot β†’ tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • Status changed to Needs review 10 months ago
  • Comment 10 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States daniel korte Brooklyn, NY

    Try again...

  • Pipeline finished with Failed
    10 months ago
    Total: 589s
    #127126
  • Status changed to Needs work 10 months ago
  • Comment 10 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Unsure, maybe another permission to check when the user doesn't have "administer media" permission.

    Don't think this matches the solution in the MR

    As a bug will need a failing test case showing the issue.

  • Comment 6 months ago β†’
    jessmm

    This appears to not only be limited to referencing a users own unpublished media. We have also experienced users not being able to reference unpublished media from other users. In this case, the user has the permissions to 'create media' and 'update any media'.

  • Comment 2 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand ericgsmith
  • Comment 2 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand ericgsmith
  • Comment 2 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand ericgsmith

    Related issue πŸ› User can't reference unpublished content even when they have access to it Needs work is talking along similar lines but for content, not media. To me this feels like a shared issue around unpublished entities being hidden from users who have access to them.

  • Comment 2 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand ericgsmith

    I think similar to the related issue - this check should also take the permission view any unpublished content into account since view any unpublished content also applies to media πŸ“Œ 'View any unpublished content' permission is surprisingly broad Active

    Perhaps this is realistically postponed until πŸ› User can't reference unpublished content even when they have access to it Needs work lands so that the BC impact can be the same, once that config in the related issue is added it can be used here>

  • Pipeline finished with Failed
    about 1 month ago
    Total: 171s
    #355927
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡ΏNew Zealand ericgsmith

    I have started expanding test coverage for the selection handler - end of the day for me so assigning to me, still need find where the validate new references is tested.

    Added additional permission check mentioned in #28 - have not added this to the validate method yet - that is still to be done.

    I still believe this will need to wait for πŸ› User can't reference unpublished content even when they have access to it Needs work to land as that introduces a BC layer for this logic change to the base handler - I think it makes sense to wait for that issue to land rather than trying to work that in now and likely this could be postponed as a follow up - but I will try complete the remaining work soon as I need this functionality now and do not have a concern about it being a BC break.

  • Pipeline finished with Success
    about 1 month ago
    #355934
  • Pipeline finished with Failed
    about 1 month ago
    Total: 91s
    #356769
  • Pipeline finished with Canceled
    about 1 month ago
    Total: 84s
    #356771
  • Comment about 1 month ago β†’
    πŸ‡³πŸ‡ΏNew Zealand ericgsmith

    I have expanded some tests - from a quick look I couldn't find existing tests covering the new entities behaviour - the validation constraint looked to be the appropriate place to add that.

    Once πŸ› User can't reference unpublished content even when they have access to it Needs work lands with the include_unpublished_entities setting on the base handler that can be incorporated here. Setting to postponed based on that.

  • Pipeline finished with Success
    about 1 month ago
    Total: 1093s
    #356774
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024