Problem/Motivation

Entity configuration:

  1. Install Inline Entity Form
  2. Create a media entity bundle "Media Test"
  3. Add a media reference field to a content type to reference "Media Test" only
  4. Select "Create referenced entities if they don't already exist"
  5. Under "Manage form display" set the widget to "Inline entity form - Simple"

User configuration:

  1. Add a new user
  2. Set relevant permissions for creating the content type and entity type
  3. Set relevant permissions for viewing unpublished and editing the entity types
  4. Do not select "administer media"

Log in as the new user and try to create a new page with reference media. The following error is displayed:

This entity (media: media_test) cannot be referenced.

See Drupal\media\Plugin\EntityReferenceSelection\MediaSelection:

  /**
   * {@inheritdoc}
   */
  public function validateReferenceableNewEntities(array $entities) {
    $entities = parent::validateReferenceableNewEntities($entities);
    // Mirror the conditions checked in buildEntityQuery().
    if (!$this->currentUser->hasPermission('administer media')) {
      $entities = array_filter($entities, function ($media) {
        /** @var \Drupal\media\MediaInterface $media */
        return $media->isPublished();
      });
    }
    return $entities;
  }

Giving the user the permission "administer media" allows the node and referenced media entity to be created. I think it would be preferable for this permission to not be required.

Proposed resolution

The logic in validateReferenceableNewEntities is matched to the logic in buildEntityQuery - which does not allow the user access to see unpublished media that they should have access to.

In this case the user has access to their own media through the permission "view own unpublished media" - or they may have access to all unpublished media through the permission "view all unpublished content" provided by content moderation.

A similar issue exists for the node selection handler #2845144: Users without 'bypass node access' permission can't reference unpublished content even if they have access to it that proposes to introduce an additional check for view all unpublished content and the equivalent view own unpublished content permission. The solution for the media selection handler should follow the solution for the node selection handler. I believe this should follow the same backwards comparability handling and therefore makes sense to postpone this until the node issue lands.

https://www.drupal.org/project/drupal/issues/2845144#comment-15387486 offers a good summary of the BC need.

Remaining tasks

User interface changes

None.

API changes

None.

Data model changes

None.

CommentFileSizeAuthor
#21 3110677-nr-bot.txt2.01 KBneeds-review-queue-bot
#17 3110677-17.patch3.82 KBdaniel korte
#14 reroll_diff_6-14.txt2.2 KBakram khan
#14 3110677-14.patch2.71 KBakram khan
#13 3110677-13.patch2.71 KBakram khan
#6 core_mediaselection-referencing_new_media-3110677.patch2.77 KBabrahame

Issue fork drupal-3110677

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

imclean created an issue. See original summary.

imclean’s picture

imclean commented

I've enabled the permission "view unpublished media" but this check doesn't take it into account:

 return $media->isPublished();
imclean’s picture

imclean commented
Issue summary: View changes
imclean’s picture

imclean commented
Issue summary: View changes

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

abrahame’s picture

abrahame commented
StatusFileSize
new core_mediaselection-referencing_new_media-3110677.patch2.77 KB

Have the same issue in my current project so I created a patch which works for me.

abrahame’s picture

abrahame commented
Status: Active » Needs review

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

j-barnes’s picture

j-barnes commented

@AbrahamE - Working great for me, thanks for the patch!

joachim’s picture

joachim commented
Status: Needs review » Needs work 
  1. +++ b/core/modules/media/src/Plugin/EntityReferenceSelection/MediaSelection.php
@@ -25,23 +25,28 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')
+    if ($this->currentUser->hasPermission('administer media')) {
+      return $query;
+    }
+    elseif (!$this->currentUser->hasPermission('administer media')
+      && !$this->currentUser->hasPermission('view own unpublished media')
+    ) {

    I think it would be better if this method kept the current layout of having just one return.

    Also, the second check to the admin permission isn't necessary. 

  2. +++ b/core/modules/media/src/Plugin/EntityReferenceSelection/MediaSelection.php
@@ -25,23 +25,28 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')
-    // In order to create a referenceable media, it needs to published.

    Won't we still need this if the current user doesn't have the permission to view an unpublished entity they own? 

  3. +++ b/core/modules/media/src/Plugin/EntityReferenceSelection/MediaSelection.php
@@ -25,23 +25,28 @@ protected function buildEntityQuery($match = NULL, $match_operator = 'CONTAINS')
+    // Permission to "view own unpublished content" allows

    Should say 'media' not 'content', as content means nodes. 

  4. +++ b/core/modules/media/src/Plugin/EntityReferenceSelection/MediaSelection.php
@@ -50,10 +55,16 @@ public function createNewEntity($entity_type_id, $bundle, $label, $uid) {
+    if ($this->currentUser->hasPermission('view own unpublished media')) {

    Do we need to handle the case where the user doesn't have the permission?

akram khan’s picture

akram khan
Primary language English
Location Cuttack, Odisha
commented
StatusFileSize
new 3110677-13.patch2.71 KB

Created patch against 9.4.x and address comment #12

akram khan’s picture

akram khan
Primary language English
Location Cuttack, Odisha
commented
StatusFileSize
new 3110677-14.patch2.71 KB
new reroll_diff_6-14.txt2.2 KB

Updating patch #12 as custom command failed and attaching the reroll file

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

daniel korte’s picture

daniel korte
he/him/his
Primary language English
Location Brooklyn, NY
commented
Category: Task » Bug report
Status: Needs work » Needs review
StatusFileSize
new 3110677-17.patch3.82 KB

I’m changing this to a Bug Report since I would expect this behavior from the view own unpublished media permission, but let me know if I’m wrong here.

I cleaned things up and addressed comment #12 concerns. Also, I noticed the existing patches don’t apply to the Media Library Grid/Table Widget which also has this issue. I updated the Views config to mirror what is being used on the Media Library admin page with the media_status plugin. Everything appears to be working with the view own unpublished media permission now.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work

The Needs Review Queue Bot tested this issue.

While you are making the above changes, we recommend that you convert this patch to a merge request. Merge requests are preferred over patches. Be sure to hide the old patch files as well. (Converting an issue to a merge request without other contributions to the issue will not receive credit.)

daniel korte’s picture

daniel korte
he/him/his
Primary language English
Location Brooklyn, NY
commented
Status: Needs work » Needs review

Daniel Korte opened merge request !7167

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 3110677-nr-bot.txt2.01 KB

The Needs Review Queue Bot tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

daniel korte’s picture

daniel korte
he/him/his
Primary language English
Location Brooklyn, NY
commented
Status: Needs work » Needs review

Try again...

smustgrave’s picture

smustgrave commented
Issue summary: View changes
Status: Needs review » Needs work
Issue tags: +Needs tests

Unsure, maybe another permission to check when the user doesn't have "administer media" permission.

Don't think this matches the solution in the MR

As a bug will need a failing test case showing the issue.

jessmm’s picture

jessmm commented

This appears to not only be limited to referencing a users own unpublished media. We have also experienced users not being able to reference unpublished media from other users. In this case, the user has the permissions to 'create media' and 'update any media'.

ericgsmith’s picture

ericgsmith commented
Related issues: +#3110677: [PP-1] Referencing new media requires "administer media" permission
ericgsmith’s picture

ericgsmith commented
Related issues: -#3110677: [PP-1] Referencing new media requires "administer media" permission +#2845144: Users without 'bypass node access' permission can't reference unpublished content even if they have access to it
ericgsmith’s picture

ericgsmith commented

Related issue #2845144: Users without 'bypass node access' permission can't reference unpublished content even if they have access to it is talking along similar lines but for content, not media. To me this feels like a shared issue around unpublished entities being hidden from users who have access to them.

ericgsmith’s picture

ericgsmith commented

I think similar to the related issue - this check should also take the permission view any unpublished content into account since view any unpublished content also applies to media

Perhaps this is realistically postponed until #2845144: Users without 'bypass node access' permission can't reference unpublished content even if they have access to it lands so that the BC impact can be the same, once that config in the related issue is added it can be used here>

ericgsmith’s picture

ericgsmith commented
Assigned: Unassigned » ericgsmith

I have started expanding test coverage for the selection handler - end of the day for me so assigning to me as I intent to continue working on this tomorrow, still need find where the validate new references is tested.

Added additional permission check mentioned in #28 - have not added this to the validate method yet - that is still to be done.

I still believe this will need to wait for #2845144: Users without 'bypass node access' permission can't reference unpublished content even if they have access to it to land as that introduces a BC layer for this logic change to the base handler - I think it makes sense to wait for that issue to land rather than trying to work that in now and likely this could be postponed as a follow up - but I will try complete the remaining work soon as I need this functionality now and do not have a concern about it being a BC break.

ericgsmith’s picture

ericgsmith commented
Title: Referencing new media requires "administer media" permission » [PP-1] Referencing new media requires "administer media" permission
Assigned: ericgsmith » Unassigned
Issue summary: View changes
Status: Needs work » Postponed
Issue tags: -Needs tests

I have expanded some tests - from a quick look I couldn't find existing tests covering the new entities behaviour - the validation constraint looked to be the appropriate place to add that.

Once #2845144: Users without 'bypass node access' permission can't reference unpublished content even if they have access to it lands with the include_unpublished_entities setting on the base handler that can be incorporated here. Setting to postponed based on that.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.