This is directly related to: #1870532: Missing module and permission checks on multiple upload submission

After uploading multiple files @ /file/add, I'm redirected by the file_entity module to admin/content/file/edit-multiple/%.

The problem is that media requires the 'edit any files' permission to view that page, so I often land on an "Access denied".

Why is that permission required? It doesn't make sense since I'm brought there after uploading my own files.

#10 media-permission_check_multiple_upload-1870538-10.patch2.18 KBaaron
PASSED: [[SimpleTest]]: [MySQL] 92 pass(es).
[ View ]
#3 media-permission_check_multiple_upload-1870538-3.patch1.8 KBmstef
PASSED: [[SimpleTest]]: [MySQL] 5 pass(es).
[ View ]
#1 media-permission_check_multiple_upload-1870538-1.patch1.24 KBmstef
PASSED: [[SimpleTest]]: [MySQL] 5 pass(es).
[ View ]


mstef’s picture

Status:Active» Needs review
new1.24 KB
PASSED: [[SimpleTest]]: [MySQL] 5 pass(es).
[ View ]

How does this look?

Added a custom access callback for the page, which passes in the array of files.

We iterate the files, and make sure the user can 'update' each.

mstef’s picture

This still redirects the user to /admin/content/file after submitting the form, which will result in a 403.

And the link could still possibly link to the same page..

mstef’s picture

new1.8 KB
PASSED: [[SimpleTest]]: [MySQL] 5 pass(es).
[ View ]

Updated to fix the 'cancel' link

ParisLiakos’s picture

Status:Needs review» Needs work


+++ b/includes/media.pages.incundefined
@@ -64,7 +64,7 @@ function media_file_page_edit_multiple($files) {
+    '#href' => isset($_GET['destination']) ? $_GET['destination'] : (user_access('administer files') ? 'admin/content/file' : '<front>'),

this should be splitted to an if/else would be easier to read

+++ b/media.moduleundefined
@@ -595,6 +596,27 @@ function media_file_download_access($field, $entity_type, $entity) {
+ * Access callback for the media-multi form
+ * ¶
+ * @param $files
+ *   An array of files being editing on the multiform.
+ * @return
+ *   TRUE if the current user has access to edit all of the files, otherwise FALSE.
+ */
+function media_multi_form_access($files) {
+  // Check that the current user can edit each file
+  if (!empty($files)) {
+    foreach ($files as $file) {
+      if (!file_entity_access('update', $file)) {
+        return FALSE;
+      }
+    }
+    return TRUE;
+  }
+  return FALSE;

maybe you should expose the $op as argument here instead of hardcoding it to 'update', so this function becomes even more reusable.

Also maybe rename it to _media_file_entity_access_recursive

Devin Carlson’s picture

fallenturtle’s picture

Could anyone provide advice on looking into how to backport this patch for 1.3?

Looking at the patch I found the places in the media.module to edit, but I cannot find the lines for /includes/ and I can't find the entity file patch from here #1870532: ( at all.

RaulMuroc’s picture

Should the suggestion in #4 be included in the patch in #3 as a new whole patch?

kumkum29’s picture


Do you include this patch in the next version of media?
in Media 7.x-2.0-alpha2 this patch is not present.


Devin Carlson’s picture

aaron’s picture

Status:Needs work» Needs review
new2.18 KB
PASSED: [[SimpleTest]]: [MySQL] 92 pass(es).
[ View ]

change from #4

RaulMuroc’s picture

Status:Needs review» Reviewed & tested by the community

For me #10 gave the expected results. Nice job! :-)

aaron’s picture

Status:Reviewed & tested by the community» Fixed

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.