media_library access neutral + allowed causes a forbidden (MediaLibraryUiBuilder.php)

Created on 27 March 2025, 7 days ago

Problem/Motivation

Having a similar problem describe here : 🐛 Why does Route access checking differ from Entity access checking? Needs work but with media_library core module.

In checkAccess() in MediaLibraryUiBuilder.php we call

// Delegate any further access checking to the opener service nominated by
// the media library state.
return $this->openerResolver->get($state)->checkAccess($state, $account)
  ->andIf($can_view_media);

But if $this->openerResolver->get($state)->checkAccess($state, $account) return AccessResultNeutral we have : Neutral + Allowed which give Neutral so Forbidden.
See truth table of andIf() method :

   * Truth table:
   * @code
   *   |A N F
   * --+-----
   * A |A N F
   * N |N N F
   * F |F F F
   * @endcode

Steps to reproduce

In my case I'm working with the contrib module group ( https://www.drupal.org/project/group → ) and its sub-module gnode.
The gnode.module implements the hook_entity_create_access hook. And this hook returns by default AccessResultNeutral.
So when I trying to upload a file through the media ui widget while creating a new content. It calls the MediaLibraryUiBuilder:checkAccess(), the user is able to view media so $can_view_media = AccessResultAllowed, but $this->openerResolver->get($state)->checkAccess($state, $account) = AccessResultNeutral (due to the hook_node_create_access in gnode.module). Then the AccessResultInterface:andIf() returns an AccessResultNeutral causing a 403 Forbidden.

Proposed resolution

In MediaLibraryUiBuilder line 209 (in the checkAccess method) we could replace the andIf by orIf.
So the checkAccess return will change from

    // Delegate any further access checking to the opener service nominated by
    // the media library state.
    return $this->openerResolver->get($state)->checkAccess($state, $account)
      ->andIf($can_view_media);

    // Delegate any further access checking to the opener service nominated by
    // the media library state.
    return $this->openerResolver->get($state)->checkAccess($state, $account)
      ->orIf($can_view_media);

Truth table of orIf() method :

   * Truth table:
   * @code
   *   |A N F
   * --+-----
   * A |A A F
   * N |A N F
   * F |F F F
   * @endcode

🐛 Bug report

Status

Active

Version

10.4 ✨

Component

media system

Created by

🇫🇷France NathLL

Live updates comments and jobs are added and updated live.

Merge Requests

!11652media_library access neutral + allowed causes a forbidden (MediaLibraryUiBuilder.php)
Open
🇫🇷France NathLL
updated 7 days ago

Comments & Activities

Issue created by @NathLL
Comment 7 days ago →
🇫🇷France NathLL
Merge request !11652Issue #3515754 by NathLL : Change method to aggregate AccessRestult → (Open) created by NathLL
Comment 6 days ago →
🇳🇿New Zealand quietone
Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies → .
Restoring template. The issue template is used to track progress and various tasks on an issue.
Comment 6 days ago →
🇫🇷France NathLL
Ok, thanks for the clarification.

I'm currently working on updating tests. So I'll port my change on 11.x then working back on update tests.
Comment 3 days ago →
🇫🇷France NathLL
Sorry, I've maybe created this issue a bit quickly.
After working on tests, I realized that I may have not fully understood how this code works.

Please can someone check this. Thanks.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024