Media revision listing is accessible to anonymous users.

longwave → credited greggles → .

longwave → credited larowlan → .

longwave → credited marcoscano → .

longwave → credited smustgrave → .

Uploaded the patch by @larowlan to an MR.

Saving issue credits based on the triage done over on security.drupal.org.

One question on the MR.

seems to be failing a number of rest tests. Should they be updated or the solution relooked at?

working on fails

Addressed failure, which was also asserting that revision info was available to non admin users 🙃

Clarifying title, because whilst they can view the list and published revisions, they can't interact with the revision UI (e.g. revert revisions, delete revisions etc)

I think this should be reviewed by >=1 media system maintainer?

I was concerned that we were opening up a new information disclosure bug by removing the entity access checks with the original fix here, turns out we were, but @larowlan added extra test coverage and restored some of that logic (in a place that actually works correctly).

For me this is RTBC now, I've also pinged the media system maintainers for a review in slack per #19.

👍 looks good to me, thanks!

Committed and pushed 8f3f374984 to 11.x and 8a4467d55e to 10.2.x. Thanks!

larowlan → closed merge request !6013

Automatically closed - issue fixed for 2 weeks with no activity.