Problem/Motivation
On our site, we've added media reference fields to some of our menus with the Menu Item Extras module. When we add a value to these fields, the media library widget shows a dialog containing the media library. When we select a media entity and click "Insert Selected", the following error appears in the browser console/dblog:
Path: /media-library?ajax_form=1&_wrapper_format=drupal_ajax&media_library_opener_id=media_library.opener.field_widget&media_library_allowed_types%5Bimage%5D=image&media_library_selected_type=image&media_library_remaining=1&media_library_opener_parameters%5Bfield_widget_id%5D=field_section_icon&media_library_opener_parameters%5Bentity_type_id%5D=menu_link_content&media_library_opener_parameters%5Bbundle%5D=main-navigation&media_library_opener_parameters%5Bfield_name%5D=field_section_icon&hash=__DcczjYUEwR573DEScmLx3iOdgkCLw-uz23c11_chw&views_display_id=widget&_wrapper_format=drupal_ajax. Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/www/html/docroot/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).
This appears to have worked in Drupal 9, but we recently updated to Drupal 10, which seems to be stricter about this check.
Steps to reproduce
- Install the Menu Item Extras module.
- Add a media reference field to a menu. For simplicity's sake, have it reference an image media type.
- Go to the Add menu link page.
- Find the media field you added in the second step.
- Click the Add media button.
- Upload an image or select an existing image.
- Click Insert selected.
- Check the browser console and/or dblog. You should see the access denied error in both places.
Proposed resolution
This issue occurs because an access check is performed any time hook_menu_link_content_create_access is invoked. In this case, we're assigning a value to a field, so I would suggest returning a neutral access result, and letting the full access check run when the menu item is saved.
One thing that may be useful is to expand the path check in this case so other field checks can be accounted for. However, the original use case that led me to this proposed resolution was for media, so I'll leave it to others to expand on it as needed.
Remaining tasks
I'll post a patch to implement my proposed resolution.
User interface changes
None.
API changes
Return a neutral access result if the originating URL is a media library.
Data model changes
None.