Contrib.social

The media library should perform access checks against the revision of the entity being edited

Open on Drupal.org →
Created on 2 April 2020, over 4 years ago
Updated 5 June 2023, over 1 year ago

Problem/Motivation

Currently when the media library does access checking on the entity that opened the media library, it does so by loading the entity using a simple \Drupal\Core\Entity\EntityStorageInterface::load. When editing inline blocks and layout builder both of these things are true:

  • You aren't guaranteed to be modifying the latest or default revision of an inline block.
  • The revision ID of an inline block is very important to it's access control.

Steps to reproduce:

  • Enable media_library, layout_builder.
  • Add a media field + media library to a custom block type.
  • Enable layout builder + per entity overrides on a content type.
  • Embed a block with the media library field into a per entity override.
  • Create two revisions, modify the inline block in both.
  • Go to the "Revisions" tab and revert to the first revision.
  • Go back to the layout tab and try to edit and save a new image in the media library.
  • AJAX request will come back a 403.

What is happening under the hood:

  • The media library has an block content entity ID.
  • It loads that entity and checks access against it.
  • The inline block's access is based on it's host entity, so it loads the host and confirms the revision ID of the block is used on the layout (\Drupal\layout_builder\EventSubscriber\SetInlineBlockDependency::isBlockRevisionUsedInEntity).
  • The media libraries ::load call doesn't match the actual revision ID in the layout and the access chain is broken, resulting in an access denied.

Proposed resolution

Pass the host entity's revision ID around, instead of it's ID and load that instead for the purposes of access control.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Fixed

Version

9.5

Component
Media 

Last updated about 12 hours ago

Created by

🇦🇺Australia Sam152

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇮🇳India imalabya Bangalore

    This issue exists in Drupal 9.5 with entity clone

    Steps to reproduce:

    • Add a Block which have a media reference in a Layout Builder enabled node
    • Clone the node
    • Go to layout of the new cloned node and edit the block.
    • Remove the arrached media reference and try to add a new Media reference (Either by selecting existing media item or upload new)
    • Throws an AJAX error Non-reusable blocks must set an access dependency for access control.
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024