Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
At some point in #2831274: Bring Media entity module to core as Media module we lost the access media overview
permission, though we still use it in views.view.media.yml
.
Proposed resolution
Decide if the permission is missing or the view access is broken.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#29 | 2905213.patch | 649 bytes | RandalV |
#21 | interdiff-2905213-17-21.txt | 1.14 KB | chr.fritsch |
#21 | bring_back_access-2905213-21.patch | 3.33 KB | chr.fritsch |
#17 | interdiff-2905213-14-17.txt | 2.88 KB | chr.fritsch |
#17 | bring_back_access-2905213-17.patch | 3.32 KB | chr.fritsch |
Comments
Comment #2
BerdirThanks, I pointed this out once in some other issue but was too lazy to open an issue.
IMHO we should just add the permission back, it makes perfect sense to have a dedicated permission for that.
Comment #3
marcoscanoI have no idea either why this was dropped, but in case we decide to add it back, here is a first attempt of a patch for that.
Comment #5
BerdirWhy do you expect the user cache context there?
Comment #6
marcoscanoCopy/Paste fail + laziness for running the test locally... Sorry for both of them :(
marcoscano--
Comment #7
chr.fritschThe CR https://www.drupal.org/node/2863992 should be changed. We should remove
Comment #8
chr.fritschLooks good and patch still applies
Comment #9
Wim LeersLooks good. Has test coverage. 👍
Comment #10
xjmI used my mad apple-F skillz on #2831274: Bring Media entity module to core as Media module to confirm that this wasn't something we removed on purpose because there were too many permissions. Could have been. We say lots of things about permissions but not that.
Je me souviens: #1848686: Add a dedicated permission to access the term overview page (without 'administer taxonomy' permission)
Here's a test-only patch to expose the fail.
I can see maybe backporting this during RC since core Media hasn't had a stable release yet and this would be, y'know, broken. But letting tests run first.
Comment #11
xjmWhenever we propose adding a permission I try to ask myself for reasons not to add it.
This one is analogous to the
access content overview
permission. Currently, you already need that permission to navigate to the media admin page, but this new/missing permission will allow you to access the media overview directly via a link/etc. or if the administrator has placed a different menu link to the media overview. The alternatives would either be lumping it in withaccess content overview
oradminister media
. I can definitely see usecases for being able to access this page (and, in the future, the Media Library) without having permission to seeadmin/content
. And, well, we shouldn't be encouraging handing out potentially dangerous permissions likeadminister media
without careful consideration.So +1 for adding this and retitling appropriately. Just waiting for tests to run now.
Comment #13
xjmHm, the tests are not adequately providing test coverage, so NW for that. Glad I was distrustful. :)
Comment #14
chr.fritschOk, here we go. Now we additionally check if "access media overview" is defined in drupal.
Comment #16
BerdirI'd suggest you create new users with drupalCreateUser() because verifies the permissions and will fail if you try to grant one that doesn't exist.
Comment #17
chr.fritschOk, now i created an additional role, with the new permission. This will also check if the permission exists in drupal. @berdir also mentioned on IRC that we currently have no tests for the media overview at all. So i added some more checks.
Comment #18
Berdirpath for drupalGet() should not have a leading / AFAIK. Other than that this is OK I think.
Comment #20
BerdirComment #21
chr.fritschRemoved the leading slash
Comment #22
BerdirThanks.
Comment #25
catchCommitted/pushed to 8.5.x and cherry-picked to 8.4.x. Thanks!
Comment #27
lucasantunes CreditAttribution: lucasantunes commentedI'm just wondering here... With this new permission, shouldn't the collection permission now be this one instead of
administer media
?Currently I'm forced to give users the
administer media
permission so that they can visualize theMedia
link under/admin/content
, and this seems to be a security oversight, if I understood it correctly.Comment #28
tivi22 CreditAttribution: tivi22 commentedHi, I have the same problem as lucasantunes. I'd like to allow users to access
/admin/content/media
page, but without giving themadminister media
permission it doesn't work. I've checked theaccess media overview
permission, but it's not enough (withoutadminister media
permission I can't seeMedia
tab in/admin/content
page... but what's interesting, when I manually access the page/admin/content/media-grid
, I have access to it... but still, I don't have access to/admin/content/media
page).Comment #29
RandalVI also seem to run into this issue... However not on all of my sites.
Not sure why this works elsewhere and not where I'd expect it to work.
Anyways... A patch is attached that does the job for me on 9.4.8 for anyone who runs into this.
Comment #30
MatthijsSince this issue is closed, I created #3340090: The "access media overview" permission has no effect for the access issue and uploaded RandalV's patch there.