Problem/Motivation
The media module doesn't specify an access control handler for the Media Type
config entity, but some information about the type (in this case, the label) is exposed in the general media view (/admin/content/media
).
If a user can access the view but doesn't have permission to administer media types, that column is exposed as empty.
The same doesn't occur with Node Types, once the NodeTypeAccessControlHandler
takes care of the access control.
Also, the bundle label is "Media Type", but we are exposing it on the view as "Source", which is inaccurate, this should be changed to "Media Type" as well.
Proposed resolution
Implement MediaTypeAccessControlHandler
as access handler for the MediaType
entity, and grant access for 'view'
operations whenever the user has the permission to view media
.
Remaining tasks
User interface changes
API changes
Data model changes
====== original issue report =========
Hello,
If a user has access to the media listing page (/admin/content/media) but don't have the "administer media types", the user can't see the media type ("source" column) in the media listing page (/admin/content/media).
He/she can still use the exposed filter but it would be good that he/she can also see the media types in the results.
Comment | File | Size | Author |
---|---|---|---|
#23 | 2932369-patch17.png | 121.08 KB | balsama |
#23 | 2932369-nopatch.png | 119.92 KB | balsama |
#19 | 2932369-17-test-only-FAIL.patch | 8.74 KB | marcoscano |
#17 | interdiff-15-17.txt | 2.63 KB | marcoscano |
#17 | 2932369-17.patch | 10.32 KB | marcoscano |
Comments
Comment #2
marcoscanoThanks for reporting.
This is in fact a bug because the column shouldn't be empty if the user has permission to access the view in the first place.
Also, IMHO we shouldn't be exposing "Source" as the column title, once the bundle entity label is "Media Type".
The patch attached should fix both points.
Comment #4
marcoscanoOK, let's try a less drastic approach.
Comment #5
marcoscanoAlso, realized that we have no test coverage whatsoever for the media overview page. I believe it would be weird to test just the label we are fixing here, and also out-of-scope to test everything in this issue, so I just opened #2932756: [PP-1] Add test coverage for media overview page to create a test that tests everything on that page.
Comment #6
BerdirDo we need "Media Type" or would just "Type" be enough since we are listing media entities?
I think we usually just use @inheritdoc on the propertiy
IMHO, I'd just combine this and tests into a single issue. Committing fixes without tests seems wrong, and if we need some tests anyway?
Comment #7
marcoscanoThanks @Berdir for reviewing!
Fair enough. I've closed the other one as duplicate and added some general tests for the view on this patch. Please let me know if something important is missing coverage.
Also, including a test-only patch to demonstrate the bug.
Thanks!
Comment #9
marcoscanoOh irony :)
Comment #12
marcoscanoComment #13
chr.fritschThis looks good to me. @Berdirs feedback was addressed, we have a failing patch to show the issue and a working patch to fix it.
Let's do this.
Comment #14
alexpottVery minor nit but since this would cause an unnecessary difference between config supplied by module and that which is exported from a site probably worth addressing. The quotes are unnecessary and would not be added by the config exporter.
Also this feels like an unrelated change and whilst correct probably worth its own issue. I.e. it is not necessary for the access fix.
Given this is the MediaTypeAccessControlHandler checking the type of $entity seems overkill. We don't check in \Drupal\user\UserAccessControlHandler() for example.
I think this should also be allowed if the user has the admin permission "administer media types". Although I do wonder if we should just allow access here - like date formats, menus etc... I'm not sure. Also is the permission correct. To see the view you need the permission
'access media overview'
not'view media'
.Comment #15
marcoscanoThanks for reviewing @alexpott!
1. Fixed, moved this change to #2934649: Fix wrong header "Source" on media overview page
2. Fixed
3.
We've gone with
view media
because this is the less restrictive permission, i.e., it would be unlikely to have a site where users canaccess media overview
oradminister media types
but notview media
. And it's not the same permission as the view (access media overview
because I'm not sure if the label access could be checked in other scenarios as well? Not sure though.On the other hand, I wouldn't blindly grant access here... I do think there may be legitimate use cases of sites where "all things media-related" may be separate from some parts of the site / users.
4. Fixed.
Comment #16
BerdirLooks fine to me. Having the media type label available for the view media permission makes sense to me.
The cache clear call is a a strange workaround. I'd recommend to just create a second user without the permission and pass each user explicitly to ->access().
Comment #17
marcoscanoYeah, I couldn't find a better way of clearing the access cache. But I agree an approach with 2 users seems cleaner.
Also, I moved that test to a kernel test, because it seemed to me it makes more sense there (instead of inside
MediaOverviewPageTest
, which is not strictly about testing the access handler).Thanks!
Comment #18
Berdirusers in kernel tests are a bit tricky because there is no user by default, so the first user is uid 1 and has full access to everything.
That's not the case here though because the base class already creates a user, so we should be OK.
Still, can you upload a test-only patch that fails for both the overview and this to be sure?
+1 on moving this to a kernel test, was thinking about the same.
Comment #19
marcoscanoThanks @Berdir for the feedback!
Here's a test-only patch that should fail.
Comment #21
BerdirGreat, failed as expected, #17 is RTBC imho.
Comment #22
xjm@balsama is going to add a couple screenshots here.
Comment #23
balsamaQuick manual test.
Comment #24
phenaproximaAll set with the ol' screenshots.
Comment #25
xjmGreat test coverage! And thanks @balsama, those screenshots are just what I was looking for.
Committed and pushed to 8.5.x. Thanks!
Comment #27
GrimreaperHello,
Thanks all for your work on this issue.
Comment #29
Nick Hope CreditAttribution: Nick Hope commentedThis patch appears to have fixed an issue I had in 8.4.4 whereby Views Grouping field Nr.2 headers were seen only by the administrator. Now solved in 8.5.0-beta1. Thank you very much.