Xray incorrectly flags Media Library views as publicly accessible due to base permission check

Created on 9 May 2025, about 2 months ago

Problem/Motivation

The Media Library views provided by Drupal core are based on the "View media" permission, which can be granted to various roles. However, access to the displays within the views is restricted via additional runtime logic that Xray does not detect. As a result, Xray reports these views as publicly accessible when they are not, leading to false positives in security audits.

Steps to reproduce

Install and enable the Media Library module (part of Drupal core).
Ensure that the "View media" permission is granted to the anonymous user.
Enable and run the Xray module.
Observe that Xray reports the Media Library views as visible to anonymous users.
Try to visit the Media Library route as an anonymous user: it will not be accessible due to extra access logic.

Proposed resolution

Enhance Xray's detection logic to account for runtime access checks beyond the base permission declared in the view.
If full detection is not feasible, allow for configurable or pluggable exceptions for specific views or routes that implement custom access logic.
Optionally, detect common patterns (e.g., custom access callbacks, `hook_view_access_alter`, or access plugins) that override default view accessibility.

Remaining tasks

Confirm whether the current Media Library access logic can be reliably detected.
Evaluate the feasibility of a generic approach for identifying custom access control in views.
Implement the proposed enhancement or provide a mechanism to declare view-specific exceptions.
Add tests to validate that views with runtime access control are not falsely flagged.

User interface changes

None expected, unless an exception list or UI feedback is added to the Xray module.

API changes

Possibly extend Xray’s internal APIs to support access override detection or exception registration.

Data model changes

None.

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇪🇸Spain Juanjol Navarra

Live updates comments and jobs are added and updated live.

Merge Requests

!77Xray incorrectly flags Media Library views as publicly accessible due to base permission check
Open
🇪🇸Spain Juanjol
updated 29 days ago

Comments & Activities

Issue created by @Juanjol
Comment about 2 months ago →
🇪🇸Spain Juanjol Navarra
Merge request !77Issue #3523561: Check views access for anonymouse user by route too → (Open) created by Juanjol
Comment 29 days ago →
🇪🇸Spain Juanjol Navarra
Pipeline finished with Success
29 days ago
Total: 152s
#517734
Comment 29 days ago →
🇪🇸Spain Juanjol Navarra
I've created a Merge Request that enhances how anonymous user access is checked for views. Previously, it only evaluated access via the display's access() method. Now, if a view display has an associated route, the MR also verifies anonymous user access to that specific route. This allows for the proper execution of route-related hooks and other access-blocking mechanisms (e.g., those used by the Media Library module's widget), ensuring more comprehensive access control.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024