The media library should perform access checks against the revision of the entity being edited

Created on 2 April 2020, over 4 years ago
Updated 5 June 2023, over 1 year ago

Problem/Motivation

Currently when the media library does access checking on the entity that opened the media library, it does so by loading the entity using a simple \Drupal\Core\Entity\EntityStorageInterface::load. When editing inline blocks and layout builder both of these things are true:

  • You aren't guaranteed to be modifying the latest or default revision of an inline block.
  • The revision ID of an inline block is very important to it's access control.

Steps to reproduce:

  • Enable media_library, layout_builder.
  • Add a media field + media library to a custom block type.
  • Enable layout builder + per entity overrides on a content type.
  • Embed a block with the media library field into a per entity override.
  • Create two revisions, modify the inline block in both.
  • Go to the "Revisions" tab and revert to the first revision.
  • Go back to the layout tab and try to edit and save a new image in the media library.
  • AJAX request will come back a 403.

What is happening under the hood:

  • The media library has an block content entity ID.
  • It loads that entity and checks access against it.
  • The inline block's access is based on it's host entity, so it loads the host and confirms the revision ID of the block is used on the layout (\Drupal\layout_builder\EventSubscriber\SetInlineBlockDependency::isBlockRevisionUsedInEntity).
  • The media libraries ::load call doesn't match the actual revision ID in the layout and the access chain is broken, resulting in an access denied.

Proposed resolution

Pass the host entity's revision ID around, instead of it's ID and load that instead for the purposes of access control.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Fixed

Version

9.5

Component
Media 

Last updated about 4 hours ago

Created by

🇦🇺Australia Sam152

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇮🇳India imalabya Bangalore

    This issue exists in Drupal 9.5 with entity clone

    Steps to reproduce:

    • Add a Block which have a media reference in a Layout Builder enabled node
    • Clone the node
    • Go to layout of the new cloned node and edit the block.
    • Remove the arrached media reference and try to add a new Media reference (Either by selecting existing media item or upload new)
    • Throws an AJAX error Non-reusable blocks must set an access dependency for access control.
  • 🇮🇩Indonesia permanaj Bali

    I have similar case with @imalabya

    I get error `Non-reusable blocks must set an access dependency for access control.` after uploading the image for the second time

    Steps to reproduce:

    • Add a Block which have a media reference in a Layout Builder enabled node
    • Clone the node
    • Go to the layout of the new cloned node and edit the block.
    • Remove the attached media reference and try to add upload new image. Save block. Save layout.
    • Go to the layout of the cloned node again, and edit the block.
    • Remove the attached media reference and again, try to add upload new image. After selecting the image there is an error on the browser console

    I test this on simplytest.me using Drupal 10.3.6 and 10.3.9 with Entity clone module version 2.1.x.

Production build 0.71.5 2024