Add a way to limit the available media items when embedding into other entities

Created on 11 May 2021, over 3 years ago
Updated 18 August 2023, over 1 year ago

Problem/Motivation

Currently, we have two main permissions when adding or selecting media through a media field. They are "View media" and "View own unpublished media". I am feeling the lack of a third option that is "View own media content". If I check the "View media", it displays all media available. However, I wish to allow the user to see only what he uploads to the library, not all files present there. For the other roles, I would like them to keep seeing all files.

Steps to reproduce

1. Create a content type
2. Add a media field
3. Create two user roles, e.g. Staff Member and Content Editor
4. Create two users, one for each role
5. Give permission to the Content Editor user to see all images on the media library
6. Try to give permission to the user Staff Member to see only the images they uploaded on the media library

Proposed resolution

TBD. See the end of #11 for some proposals.

Remaining tasks

  1. Decide on the right solution.
  2. Implement it.
  3. Add/expand tests.
  4. Probably deal with an upgrade path + upgrade path tests.
  5. Reviews / refinements.
  6. RTBC.

User interface changes

API changes

Data model changes

Release notes snippet

Feature request
Status

Needs work

Version

9.5

Component
Media 

Last updated about 17 hours ago

Created by

🇬🇧United Kingdom lesleyfernandes

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇮🇳India junaidpv Kannur, Kerala

    We were having this requirement and this thread had came in my search result. We could develop a solution. Hopefully people looking for a solution will find this helpful.

    The solution is with help of a ViewsArgumentDefault plugin. It is somehow like an extended version of "User ID from logged in user" in user module. I created it like a completely new plugin. But I guess we can just improve existing "User ID from logged in user".

    It is generic user module related plugin. Can be used for other related user cases. So, no need to go into media system.

    Steps to use this:

    1. Apply the patch to Drupal core
    2. Clear cache
    3. Add "Authored by" contextual filter for Media items.
    4. On that contextual filter settings dialog. Under "When the filter value is NOT available". Choose "Provide default value" option.
    5. Then select "User ID from logged in user with skipping for selected roles" as type.
    6. Select roles you want to grant access to view items,
    7. Make sure the "Skipping value" setting matches with the "Exception Value" under "Exceptions" field set.
  • 🇮🇳India _utsavsharma

    Tried to fix CCF for #22.

  • Status changed to Needs work almost 2 years ago
  • The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

  • 🇮🇳India _pratik_ Banglore

    #22 applied for me , I hope this will apply .

  • Status changed to Needs review almost 2 years ago
  • Status changed to Needs work almost 2 years ago
  • 🇺🇸United States smustgrave

    TBD. See the end of #11 for some proposals.

    Proposed solution should be updated before review. So the reviewer can compare proposed solution to patch.

    Also will need test coverage

  • 🇺🇸United States mrweiner

    Looking through this issue, I wonder whether we can take inspiration from the permissions that Drupal Commerce sets up, e.g. View any Order, View orders in own store, and View own orders.

    Per #11:

    As media items, by default, everyone would be able to view them. The point of "view X" permissions in core is to limit who can see something at all. We do not want to confuse things by having a permission called "View own media items" that actually means "see only your own media items when trying to insert one into something else."

    I agree with this, unless we are in fact defining a global permission. Would it be problematic to introduce a "View own media items" permission to handle this case more generally? I'd wager that this would handle most of the use cases that folks are trying to address when landing on this issue.

  • 🇺🇸United States mrweiner

    Also +1 to

    Maybe we want to add "My media" vs. "All media" tabs to the default media library view and let sites that want to restrict access to the "All media" display do so via the usual Views access settings (e.g. to make them role based, or whatever).

    Two tabs -- maybe with associated "view media overview" permissions -- would be great.

Production build 0.71.5 2024