Problem/Motivation

In #2962525: Create a field widget for the Media library module, a new View is added for all users with the "View media" permission. There's nothing implicitly dangerous or special about this view, but as anonymous users often have the "View media" permission sites may prefer to only allow access to the view if it's opened from the widget.

  1. Right now, the media library depends on a state value object derived from URL query parameters. Users are not supposed to tamper with those parameters, but we have no mechanism in place to prevent that. So we need to implement a tamper-proof hash, similar to what Media does in its IframeUrlHelper class, to prevent people from messing with the query parameters in the first place.
  2. Secondly, as @marcoscano points out in #15, a permission might be too blunt of an instrument for controlling access to the media library, simply because it can potentially be used in a bunch of different places and in different ways. With a permission, a site builder would need to grant at least two permissions to authors in order to allow them to use the media library at all -- they'd need the "view media" permission, and permission to access the media reference field at all. That's a big fat DrupalWTF that we should do our best to avoid. Instead, we will implement some sort of system, probably based on the event system, to ask the opener (i.e., the field or the WYSIWYG editor in question) to allow or deny access to the media library, based on the parameters in the state object. Since the state object is central to computing access this way, we'll need the tamper-proofing in place first.
  3. Finally, the media library view has two displays (grid and table), and neither can really be used without a valid state object. Yet there is nothing enforcing that constraint -- if you have the "view media" permission, you can see the media library. So we want to deny access to all displays of the media library view (except the standalone ones at /admin/content/media) if there is no valid state object present.

Proposed resolution

Fix the following issues:

Remaining tasks

Discuss solutions and scope, write patch.

User interface changes

None.

API changes

None.

Data model changes

None.

CommentFileSizeAuthor
#12 interdiff-10-12.txt523 bytesmarcoscano
#12 2983179-12.patch2.34 KBmarcoscano
#10 2983179-10.patch2.33 KBmarcoscano

Comments

samuel.mortenson created an issue. See original summary.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

samuel.mortenson’s picture

samuel.mortenson
he/him
Primary language English
commented

As a part of this issue we should also validate the library query params, possibly replacing them with a single param for the field definition.

samuel.mortenson’s picture

samuel.mortenson
he/him
Primary language English
commented
Title: [PP-1] Implement stricter access checking for the media library widget view » Implement stricter access checking for the media library widget view
Status: Postponed » Active
samuel.mortenson’s picture

samuel.mortenson
he/him
Primary language English
commented

possibly replacing them with a single param for the field definition

I'd like to roll this back - I think the Media Library (modal stuff) should not be field-reliant, since we also want to use it with CKEditor.

samuel.mortenson’s picture

samuel.mortenson
he/him
Primary language English
commented

In the short term, we should definitely hash the query params to prevent arbitrary user input. I want to do that in this issue since the alternative options for access checking (actually checking field access) seem extremely complex.

marcoscano’s picture

marcoscano
Primary language Portuguese, Brazil
Location Barcelona, Spain
commented

Uneducated question (sorry): Does this view display need to be a page display for a particular reason? I wonder if it wouldn't make things easier to have a display type without route access (as Entity Browser does), so it could only be used inside our dialog system.

This would also make it easier to detect which view/displays are selectable in #2971209: Allow the MediaLibraryUiBuilder service to use an alternative view display

samuel.mortenson’s picture

samuel.mortenson
he/him
Primary language English
commented

@marcoscano I tried using the embedded display for the view and having the field widget open the dialog after rendering the view directly, but there were multiple bugs related to rendering and exposed form functionality. I'm not against someone attempting it again - just throwing that out there.

marcoscano’s picture

marcoscano
Primary language Portuguese, Brazil
Location Barcelona, Spain
commented
Assigned: Unassigned » marcoscano
Issue tags: +BarcelonaMediaSprint

#8: Thanks for clarifying!

Discussed this with @SeanB today as part of the media sprint, it seems like for now just a new permission to access the media library may be in scope here, and then the widget will use that as part of the different access checks it will need to perform.

I'll work on this.

marcoscano’s picture

marcoscano
Primary language Portuguese, Brazil
Location Barcelona, Spain
commented
Assigned: marcoscano » Unassigned
Status: Active » Needs review
StatusFileSize
new 2983179-10.patch2.33 KB

This implements a new select media library items permission as a first step to approach access to the Media Library in a better way.

Status: Needs review » Needs work

The last submitted patch, 10: 2983179-10.patch, failed testing. View results

marcoscano’s picture

marcoscano
Primary language Portuguese, Brazil
Location Barcelona, Spain
commented
Status: Needs work » Needs review
StatusFileSize
new 2983179-12.patch2.34 KB
new interdiff-10-12.txt523 bytes

Status: Needs review » Needs work

The last submitted patch, 12: 2983179-12.patch, failed testing. View results

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue tags: +Media Initiative 
+++ b/core/modules/media_library/media_library.permissions.yml
@@ -0,0 +1,3 @@
+select media library items:
+  title: 'Select media library items'
+  description: 'Users with this permission can select entities from the Media Library in the library widget'

So … if you don't have this permission, can you access the media library but in a read-only mode?

marcoscano’s picture

marcoscano
Primary language Portuguese, Brazil
Location Barcelona, Spain
commented

After some more discussion, we are arriving to the conclusion that this new permission isn't perhaps the best approach in the end.

The media library widget will have a controller with a custom access handler that will:

1- When opened from an entity reference field:
a) Grant access to the media library view display if the user has access to the field the widget is attached to. (Because we assume if a user can edit a field that allows referencing media items of a given type, they should be able to see (and hence select) those media items)
b) Grant access to the add form if the user has access to create new entities of that particular type.

2- When opened from the CKEditor button:
a) Grant access to the media library view display if the user has permission view media and has access to the text format the button was in.
b) Grant access to the add form if the user has access to create new entities of that particular type.

(That's my understanding of it at least :) )

The current Widget view display will then not be a page display anymore, so the controller's route would be the only point of access to the media library widget display.

With that, we can just close this issue as outdated. (I'm holding off on doing so until we have an issue number to refer to where the work described above is being done).

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented

@seanB and I got in a Slack discussion with @alexpott today about the best way to approach this. We decided that we need three things:

  1. Right now, the media library depends on a state value object derived from URL query parameters. Users are not supposed to tamper with those parameters, but we have no mechanism in place to prevent that. So we need to implement a tamper-proof hash, similar to what Media does in its IframeUrlHelper class, to prevent people from messing with the query parameters in the first place.
  2. Secondly, as @marcoscano points out, a permission might be too blunt of an instrument for controlling access to the media library, simply because it can potentially be used in a bunch of different places and in different ways. With a permission, a site builder would need to grant at least two permissions to authors in order to allow them to use the media library at all -- they'd need the "view media" permission, and permission to access the media reference field at all. That's a big fat DrupalWTF that we should do our best to avoid. Instead, we will implement some sort of system, probably based on the event system, to ask the opener (i.e., the field or the WYSIWYG editor in question) to allow or deny access to the media library, based on the parameters in the state object. Since the state object is central to computing access this way, we'll need the tamper-proofing in place first.
  3. Finally, the media library view has two displays (grid and table), and neither can really be used without a valid state object. Yet there is nothing enforcing that constraint -- if you have the "view media" permission, you can see the media library. So we want to deny access to all displays of the media library view (except the standalone ones at /admin/content/media) if there is no valid state object present.

We decided that since spreading this work over multiple issues might increase the possibility of security holes, @seanB will implement all of this in a patch in this issue as a proof of concept, and then we'll split it up into separate issues to make it easier to review and commit.

seanb’s picture

seanb
Primary language Dutch
Location Netherlands
commented
Title: Implement stricter access checking for the media library widget view » [META] Implement stricter access checking for the media library
Issue summary: View changes

Created issues and updated IS:
#3038241: Implement a tamper-proof hash for the media library state
#3038254: Delegate media library access to the "thing" that opened the library
#3038350: Deny access to all media library View Displays if there is no valid state object

seanb’s picture

seanb
Primary language Dutch
Location Netherlands
commented
Status: Needs work » Active

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue summary: View changes

#3038241: Implement a tamper-proof hash for the media library state was completed!

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Issue summary: View changes

#3038350: Deny access to all media library View Displays if there is no valid state object was also completed.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

I created #3063216: Inaccessible Media entities still have rows generated for them in the Media Library view, containing form wrapper markup *and* the media label based on #3038254-62: Delegate media library access to the "thing" that opened the library.

phenaproxima’s picture

phenaproxima
he/him
Primary language English
Location Massachusetts
commented
Issue summary: View changes
Status: Active » Fixed

#3038254: Delegate media library access to the "thing" that opened the library landed this morning, which concludes this meta. :)

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented
Status: Fixed » Active

I unfortunately have to disagree 😐 Sorry!

#3063216: Inaccessible Media entities still have rows generated for them in the Media Library view, containing form wrapper markup *and* the media label was newly discovered in #22. While that may not be exactly what the intent was of this meta originally, because that was focusing on certain aspects of the media library, it definitely falls under the umbrella of "stricter access checking". Right now #3063216: Inaccessible Media entities still have rows generated for them in the Media Library view, containing form wrapper markup *and* the media label arguably is disclosing sensitive information.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

azinck’s picture

azinck commented
Status: Active » Fixed

Given the issue Wim references in #24 ( #3063216: Inaccessible Media entities still have rows generated for them in the Media Library view, containing form wrapper markup *and* the media label ) has been fixed, I believe this can be closed.

wim leers’s picture

wim leers
Location Ghent 🇧🇪🇪🇺
commented

Yay, thanks, @azinck!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.