Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hi.
It seems that MBP is vulnerable to a reconfiguration of the iframe URL.
For isntance, we can remove from MBP widget setting (in field setting) the access to Gallery and my Files and thus allow only access to MyFile (MBP) and Transfer.
URL is like
http://.../media/browser?render=media-popup&types%5Bimage%5D=image&enabledPlugins%5Bupload%5D=upload&enabledPlugins%5Bmedia_default--media_browser_my_files%5D=media_default--media_browser_my_files&schemes%5Bpublic%5D=public&schemes%5Bprivate%5D=0&file_directory=&file_extensions=jpg+jpeg+gif+png+txt+doc+docx...
But if we edit the iframe URL to http://.../media/browser, then all the tabs are now available and users can access files they do not own.
Question is: Is it intended (and thus MBP setting is "design only") or is it a security issue?
I did not check the impact of updating other paramter of the URL but enabledPlugins should be protected:
- access to undesired file
- ability to upload
For me, this is a security issue and thus I would need a way to restrict user to only "Transfer and myFile (MBP)".
Comments
Comment #1
das-peter CreditAttribution: das-peter commentedThose lists base on this view
admin/structure/views/view/media_browser_plus/edit/as the default views from the media moduleadmin/structure/views/view/media_default/editthe view and the displays have different access restrictions configured.So if someone without the required permission adjusts the iframe URL that should be caught by the views permissions.
Let me know if that is the case - if not we might have check the media / views module.
Comment #2
JulienThomas CreditAttribution: JulienThomas commentedIn fact, the two extra tabs for my case are added by admin/structure/views/view/media_default/edit/media_browser_1 (Media Browser- default)
First,
Library (MBP) as permission "administer files" while
Library as permission "view all files"
so here we have inconsistency. IMHO, the right permission should be "view all files" as this is the expected permission for viewing the library.
Second,
My Files (MBP and default) as permission "View my files" so this okay from a setup point of view
But the only issue we have is that we can defined the activated plugins per field. So this is not a view option but a "MBP - field" option that can only be dealt with throught the MBP iframe call, no?
Right now, I changed the permission to role =administrator as settings I made to MBP are at a global level (same for all fields) but
a) either this is the way to do it but then it must be well stated on the field setup (that security is setup at view level with a proper ref)
or
b) the security is at field level and should be implemented there
Don't you think?
Comment #3
das-peter CreditAttribution: das-peter commentedNo. This is handled by the Media module. You can create your own Media Browsing Views and configure them as you like. The Media modul lists thenall available views in the field settings.
That's at least what I mean to know atm.
If you've concern regarding how this is handled you might check with the Media module maintainers.