Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By bnjmnm on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
8.8.x
Introduced in version:
8.8.0
Issue links:
Description:
A "Published status or admin user" views filter for media entities has been added to Drupal core as part of the Media module. This filter is equivalent to the "Published status or admin user" that is used for nodes in the Content view.
This filter now enabled by default in the media_library view when Media Library is installed. For existing installations, this filter is added and enabled via hook_post_update.
Note that the while the filter label "Published status or admin user" includes the term admin user, this is applicable to any role/user with permission to access the unpublished media. This is the same language used by the existing node-specific version of this filter.
The addition of this filter ensures that users without permission to view unpublished media are not able to see it in any display of the media_library view.
This is potentially disruptive for sites that meet certain criteria
Only in this unlikely, but certainly possible use case:
- You have users with restrictions on their permissions to access unpublished media
- Despite these restrictions, you want them to be able to access the unpublished media via
media_libraryview that comes with Media Library
For sites that match the above criteria, there is most likely an underlying issue with permissions that should be fixed. However, it is still possible to return to the potentially-insecure status quo by removing the "Published status or admin user" filter from the Media Library views.
API Changes
The media-specific "Published status or admin user" status_extra filter is implemented in the media module as an implementation of FilterPluginBase. An additional WHERE query is added to the default query that returns results based on
WHERE the media is published
OR the media's uid matches that of the current user AND the current user is authenticated AND that user has the "View own unpublished media" permission
OR the user has the "Administer media" permission
OR(if content moderation is enabled), the user has the "View any unpublished content" permission.
Impacts:
Site builders, administrators, editors
