Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
A group member with group role that allows her to add and edit media entities to group who doesn't have a site role with 'create' or 'edit' new content (nodes) is not able to add media entities via media library to a group page.
Steps to reproduce
- Create a user without site permissions to create or edit nodes
- Create a group and add the user as member
- Create a group role with permissions to add node entities and relations and add this role to the member
- Try to create add an entity (node) that has a media field that uses media library. Select a previously uploaded image and try to add it to the entity.
- It will fail in JavaScript console with 403 permission denied
Proposed resolution
- Take into account that group roles with permissions to add entities and relations should be enough as an access check validation and not rely just on site permissions because this is a group module.
Remaining tasks
- Patch
- Review
- Test
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | groupmedia-3238469-5.patch | 2.04 KB | ludo.r |
Comments
Comment #2
akalam commentedComment #3
a.dmitriiev commentedMedia library widget at the moment has no context to know that it is opened within any group. There is also related issue, so I added it here.
Comment #4
rgristroph commentedI think I am also seeing this issue.
Comment #5
ludo.rAs stated in the title, the groupmedia module does not check the group permissions to create the media entities. It relies on creating group relations, which is not exactly the same.
This patch provides an access check to match the create permissions.
It applies only for the
entity.group_content.group_media_add_pageroute (/group/1/media), and return allowed if user has permissions, otherwise neutral.Comment #6
lobsterr commentedComment #8
lobsterr commentedThank you for your contribution
Comment #10
hydra commentedIs there a particular reason that this has not been fixed for 4.0.x as well?
Comment #11
hydra commentednvm - I see it has been adjusted to group_relationship, but still the upload does not work in media library modal without the global permission "create media" - I will open a new issue for that.
Comment #12
lobsterr commented@Hydra, it has been done already. Check the latest release. I was working on the release porting some commits from 2 version to 3 and then to 4 version and it took me some time
https://git.drupalcode.org/project/groupmedia/-/commit/d3c65fd13fa05c0940b754f0b9743ad10c5f234f
Comment #13
hydra commentedYeah I stumbled on this. I think we need to add an additional AccessControlHandler on the Media entity in order to allow the upload via media library modal (not on the relationship create form itself)
Comment #14
lobsterr commentedYes, I can do it later. For the moment. I just decided to port as it is.
Comment #15
msnassar commentedHello @Hydra and @LOBsTerr
We have encountered the same issue on a website. We have fixed the issue locally. But now as we need do to the same for new website, I have created a contrib module Group Media Library. The module comes with some useful sub-modules: integration with the groupmedia, a fix for https://www.drupal.org/project/group/issues/3071489, and media tracker for media library...
Comment #16
msnassar commented@LOBsTerr @Ludo.R
I started to update groupmedia module from 8.x-2.0-alpha11 to 8.x-2.0-rc2 for a website.
As I understand from #5, the patch, is not fixing the media library issue. But the access to media for the entity.group_content.group_media_add_page route (/group/1/media). Anyway, I wonder if the patch in #5 is the write way to fix the issue with the route (/group/1/media):