Deny access to all media library View Displays if there is no valid state object

I don't understand the issue summary because I don't know enough about the Media Library implementation details — only today I found out about \Drupal\media_library\MediaLibraryState!

Having dug deeper, I think I understand it now. What this is saying, is that the Media Library selection dialog (\Drupal\media_library\MediaLibraryUiBuilder::buildUi() or /media-library) should result in a 403 when it is opened without a valid MediaLibraryState.

However, didn't #3038241: Implement a tamper-proof hash for the media library state already do this? It added \Drupal\media_library\MediaLibraryUiBuilder::checkAccess() with this code:

  public function checkAccess(AccountInterface $account = NULL, MediaLibraryState $state = NULL) {
    if (!$state) {
      try {
        MediaLibraryState::fromRequest($this->request);
      }
      catch (BadRequestHttpException $e) {
        return AccessResult::forbidden($e->getMessage());
      }
      catch (\InvalidArgumentException $e) {
        return AccessResult::forbidden($e->getMessage());
      }
    }

AFAICT that already covers the scope of this issue?

Ah, I see, this is about adding similar access restrictions to not just the route (which already exists, done in #3038241: Implement a tamper-proof hash for the media library state), but also to the view?

👍— attempted to clarify the title for the next person looking at this issue :)

Wow, that's much simpler than I expected :D Assuming the test-only patch fails and the other one passes, this is definitely ready!

That worked as expected! 👍 🚢

Currently in HEAD, if you go to /admin/structure/views, then for the Media Library view, in the Displays column, you see links for /admin/content/media-widget and /admin/content/media-widget-table. In HEAD, clicking on them causes an unhandled exception, coming from MediaLibraryState::validateParameters(). Because of this, when you edit the Media Library view, and one of those displays, the live preview at the bottom doesn't work.

This patch replaces the unhandled exception with a 403, for all users, including user 1. That then continues to leave the live preview broken.

Is there anything we can/should do here to make the live preview work? And maybe also make the links from /admin/structure/views work? At least for some set of users (like ones with permission to edit the view)? I think that would make it easier for people to make changes to that View.

I don't know if that's really in-scope for this issue, since the live preview is already broken in HEAD, so curious what others think about whether to hold this up on that.

I don't know if that's really in-scope for this issue, since the live preview is already broken in HEAD, so curious what others think about whether to hold this up on that.

I think we should fix that in another stable-blocking issue, which I will file.

Opened #3060603: Live preview is broken when editing the media_library view. I think I'm going to send this back to RTBC, since the bug is pre-existing in HEAD and this issue does not exacerbate it.

Forgot to remove the tag.

Nice bug find @effulgentsia. I agree with @phenaproxima that it is not in scope here and we now have the follow-up so that's good.

Crediting @Wim Leers and @effulgentsia for issue review.

Committed and pushed a3ce6e70ed to 8.8.x and 734b9190b3 to 8.7.x. Thanks!