Contrib.social

Media entity owner access check

Open on Drupal.org →
Created on 29 February 2024, 4 months ago
Updated 5 March 2024, 4 months ago

Problem/Motivation

When a user only has permission to create a media and to edit his/her own media file, he/she still doesn't have access to do so.
It could be very important when we use an inline entity form as a field widget. For example https://drupal.org/project/inline_entity_form

Previously the issue was caused by a mistake in the type hint of the getOwnerId() function.
See 🐛 EntityOwnerInterface getOwnerId documents wrong return types Needs work

Steps to reproduce

  • Enable Media on the site
  • Make a new role. E.g. Media
  • Give permissions: Access media overview, View media, Create new media, Edit own media
  • Give this role to some new user (make sure that user doesn't have admin permissions)
  • Go to the /admin/content/media
  • Create a new media and back to the list
  • Click Edit button
  • Current result: user sees Access denied page
  • Expected result: user must be able to edit the entity

Proposed resolution

Update MediaAccessControlHandler::checkAccess() function

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component
Media 

Last updated about 11 hours ago

Created by

🇺🇦Ukraine HitchShock Ukraine

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @HitchShock
  • Comment 4 months ago
    🇺🇦Ukraine HitchShock Ukraine
  • Comment 4 months ago
    🇺🇦Ukraine HitchShock Ukraine
  • Comment 4 months ago
    🇺🇦Ukraine HitchShock Ukraine

    Prepared a quick fix.

  • Merge request !6830[#3424593] Fixed owner access for media entities → (Open) created by HitchShock
  • Issue was unassigned.
  • Status changed to Needs review 4 months ago
  • Comment 4 months ago
    🇺🇦Ukraine HitchShock Ukraine

    Requires a first review before updating the tests.

  • Status changed to Needs work 4 months ago
  • Comment 4 months ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue.

    While you are making the above changes, we recommend that you convert this patch to a merge request . Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

  • Pipeline finished with Failed
    4 months ago
    Total: 658s
    #106852
  • Status changed to Needs review 4 months ago
  • Comment 4 months ago
    🇺🇦Ukraine HitchShock Ukraine
  • Comment 4 months ago
    🇺🇸United States smustgrave

    I feel we have to have test coverage for the described issue (have not looked yet though)

  • Comment 4 months ago
    🇺🇦Ukraine HitchShock Ukraine

    @smustgrave Sure. You are right, we need. But first I want to hear the thoughts of other people about the issue.

  • Comment 4 months ago
    🇺🇸United States smustgrave

    No I mean I'm surprised we already don't but looking at the test failures maybe we do MediaAccessTest

  • Comment 4 months ago
    🇺🇦Ukraine HitchShock Ukraine

    @smustgrave
    To be honest, I was also surprised when I caught this bug.
    In the kernel, a non-strict condition is used everywhere: $account->id() == $entity->getOwnerId(), so everything works fine.
    But the media checkAccess uses a strict condition.

    Also will add an explanation for everyone why I set the Needs review status.
    Atm I fixed the issue in the following way:
    $is_owner = ($account->id() && $entity->getOwnerId() && $account->id() === (int) $entity->getOwnerId());
    This is a solution that generally complies with the strict typing that is gradually being implemented in PHP.

    But perhaps here it would be worth using a legacy approach that is more common in the core
    $account->id() == $entity->getOwnerId())

  • Comment 4 months ago
    🇳🇱Netherlands seanB Netherlands

    Ah yes, the string|int|null user ID is definitely troublesome. We either cast to int for both values, or change the strict comparison. I don't have a string opinion on it either way. I feel casting to int is slightly nicer, but not sure if that could lead to other unforeseen issues.

    So either:
    $is_owner = $account->id() && (int) $account->id() === (int) $entity->getOwnerId();

    Or simply just do:
    $is_owner = $account->id() && $account->id() == $entity->getOwnerId();

    The node modules contains this by the way, so maybe to non-strict comparison would be more in line with that:

    $uid = $node->getOwnerId();
if (... && $account->isAuthenticated() && $account->id() == $uid)
  • Status changed to Needs work 4 months ago
  • Comment 4 months ago
    🇺🇸United States smustgrave

    Thanks @seanB for taking a look!

  • First commit to issue fork.
  • Status changed to Needs review 4 months ago
  • Comment 4 months ago
    🇮🇳India adwivedi008

    Simply apply the changes suggested by @seanB over #13

    Used $is_owner = $account->id() && (int) $account->id() === (int) $entity->getOwnerId();
    to check the access.
    Please review and suggest if any other changes required

    Moving the issue to needs review

  • Pipeline finished with Success
    4 months ago
    Total: 475s
    #111207
  • Status changed to Needs work 4 months ago
  • Comment 4 months ago
    🇺🇸United States smustgrave

    Will need a test case for the issue though

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024