Bring back "access media overview" permission

Thanks, I pointed this out once in some other issue but was too lazy to open an issue.

IMHO we should just add the permission back, it makes perfect sense to have a dedicated permission for that.

Why do you expect the user cache context there?

The CR https://www.drupal.org/node/2863992 should be changed. We should remove

• The access media overview permission is removed.

Looks good and patch still applies

Looks good. Has test coverage. 👍

I used my mad apple-F skillz on #2831274: Bring Media entity module to core as Media module to confirm that this wasn't something we removed on purpose because there were too many permissions. Could have been. We say lots of things about permissions but not that.

Je me souviens: #1848686: Add a dedicated permission to access the term overview page (without 'administer taxonomy' permission)

Here's a test-only patch to expose the fail.

I can see maybe backporting this during RC since core Media hasn't had a stable release yet and this would be, y'know, broken. But letting tests run first.

Whenever we propose adding a permission I try to ask myself for reasons not to add it.

This one is analogous to the access content overview permission. Currently, you already need that permission to navigate to the media admin page, but this new/missing permission will allow you to access the media overview directly via a link/etc. or if the administrator has placed a different menu link to the media overview. The alternatives would either be lumping it in with access content overview or administer media. I can definitely see usecases for being able to access this page (and, in the future, the Media Library) without having permission to see admin/content. And, well, we shouldn't be encouraging handing out potentially dangerous permissions like administer media without careful consideration.

So +1 for adding this and retitling appropriately. Just waiting for tests to run now.

Hm, the tests are not adequately providing test coverage, so NW for that. Glad I was distrustful. :)

Ok, here we go. Now we additionally check if "access media overview" is defined in drupal.

I'd suggest you create new users with drupalCreateUser() because verifies the permissions and will fail if you try to grant one that doesn't exist.

Ok, now i created an additional role, with the new permission. This will also check if the permission exists in drupal. @berdir also mentioned on IRC that we currently have no tests for the media overview at all. So i added some more checks.

path for drupalGet() should not have a leading / AFAIK. Other than that this is OK I think.

Removed the leading slash

Thanks.

Committed/pushed to 8.5.x and cherry-picked to 8.4.x. Thanks!

I'm just wondering here... With this new permission, shouldn't the collection permission now be this one instead of administer media?

Currently I'm forced to give users the administer media permission so that they can visualize the Media link under /admin/content, and this seems to be a security oversight, if I understood it correctly.

Hi, I have the same problem as lucasantunes. I'd like to allow users to access /admin/content/media page, but without giving them administer media permission it doesn't work. I've checked the access media overview permission, but it's not enough (without administer media permission I can't see Media tab in /admin/content page... but what's interesting, when I manually access the page /admin/content/media-grid, I have access to it... but still, I don't have access to /admin/content/media page).

I also seem to run into this issue... However not on all of my sites.
Not sure why this works elsewhere and not where I'd expect it to work.

Anyways... A patch is attached that does the job for me on 9.4.8 for anyone who runs into this.

Since this issue is closed, I created #3340090: The "access media overview" permission has no effect for the access issue and uploaded RandalV's patch there.