Contrib.social

Add "view $bundle media" permission

Open on Drupal.org β†’
Created on 11 April 2023, about 1 year ago
Updated 12 April 2023, about 1 year ago

Problem/Motivation

Creating a media item with restricted (limited to certain roles) view / download access is not possible.

An example for this would be a media type "private documents" which should only be available for elevated user roles and not to anyone having "view media" permission.
Media is what the site builder expects to use for this (as it's private documents), but due to the missing permissions, you currently can't do it.

A very important point here is, how private files work in Drupal to determine their download access permission: They check the "view" permission of their parent entity. And that's what's missing here. For details see this blog post.

In #2862422: Add per-media type creation permissions for media β†’ most permissions were split into bundle permissions, but "view media" wasn't. For view unpublished $bundle media there's already an issue: ✨ Add "view unpublished $bundle media" permissions for each media bundle Postponed but that doesn't solve the problem for published media with restricted view access.

πŸ› Make private file access handling respect the full entity reference chain Postponed goes even further by determining the media entity access by the parent entities, but that seems to be far future. For example, it's blocked by heavy tasks like πŸ“Œ Track media usage and present it to the site builder (in the media library, media view, on media deletion confirmation, etc.) Active
In https://drupal.org/project/media_private_access some of the ideas were already implemented, also the view $bundle media permission requested here was implemented experimentally:
https://git.drupalcode.org/project/media_private_access/-/blob/8.x-1.x/s...

Steps to reproduce

Add a media type, which files should only be accessible for certain roles, like "customer", "team member", "forum member" or whoever.
See that it's not possible, as there's only the global "view media" permission and no view media permission per bundle.

There's no way to restrict media bundles access to certain roles without custom code, while granular permissions exist for CUD!

Proposed resolution

  1. Introduce view $bundle media permission, if possible, utilizing πŸ“Œ Introduce entity permission providers Needs work
  2. Grant view $bundle media for all bundles for anyone, who had view media permission before, like it was already done for create / edit / delete in ✨ Add "view unpublished $bundle media" permissions for each media bundle Postponed and rename "View media" to "View any media"
  3. Deprecate general "view media" permission with #2925459: Deprecate generic media permissions β†’

In the meantime & proof of concept:
We might discuss, if it makes sense to create a media_access module like other examples: https://www.drupal.org/project/block_access β†’
OR
Revive https://www.drupal.org/project/media_private_access β†’ with Drupal 10 compatibility and make it less experimental. I contacted @marcoscano for that reason to get his feedback.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

✨ Feature request
Status

Active

Version

10.1 ✨

Component
MediaΒ  β†’

Last updated about 12 hours ago

Created by

πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024