Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Unpublished media can not be viewed by owner.
I have just noticed that a Media entity in unpublished state can not be viewed by the owner which is weird. The only exception is when the owner has the "administer media" permission.
Steps to reproduce
1. Create a roll with 'create media' and 'delete own media' and 'update own media' permission
2. Create a user and assign the role created in step 1.
3. Login as the user from step 2
4. Create a media item
5. Try to view the media item
Expected:
See media entity.
Actual:
Access denied.
Proposed resolution
- Allow user with a new 'view own unpublished media' permission to view their unpublished media.
Comment | File | Size | Author |
---|---|---|---|
#146 | 2889855-146.patch | 30.26 KB | seanB |
#146 | interdiff-132-146.txt | 7.43 KB | seanB |
#132 | interdiff-129-132.txt | 38.73 KB | seanB |
#132 | 2889855-132.patch | 27.52 KB | seanB |
#129 | interdiff-127-129.txt | 2.93 KB | seanB |
Comments
Comment #2
balazswmann CreditAttribution: balazswmann commentedIt seems the problem can be solved pretty easily.
Comment #3
balazswmann CreditAttribution: balazswmann commentedComment #4
BoobaaComment #5
marcoscanoThis test fails before the patch and passes after it.
Comment #6
phenaproximaCan we have a fail (test-only) patch, just to prove that this fix works? Once that's here, this is squarely RTBC from me.
Comment #7
marcoscanoSure!
Comment #9
phenaproximaYay! RTBC for #5.
Comment #10
Wim LeersCacheability metadata is now incorrect.
Comment #11
marcoscanoComment #12
BoobaaLooks good to me.
Comment #14
Wim LeersAs the tests show, this results in worse cacheability for 100% of cases.
You can improve this by doing:
Now it'll vary by
user.permissions
(better cacheability) unless the entity is unpublished, then it'll vary byuser
.Also,
MediaAccessControlHandler
is missing unit test coverage. See\Drupal\Tests\field\Unit\FieldStorageConfigAccessControlHandlerTest
for an example. Doesn't necessarily need to happen here, but it'll make things easier going forward for sure.Comment #15
pk188 CreditAttribution: pk188 at OpenSense Labs commentedUsed #14.
Comment #17
Wim LeersActually, that's not true. See
\Drupal\Tests\Core\Access\AccessResultTest::testOrIfCacheabilityMerging()
. Perhaps we should change the behavior oforIf()
, but that'd be out of scope here.Fix attached.
Tagging
forComment #18
Wim LeersComment #20
Wim LeersGreat, now
MediaAccessTest
is failing, notMediaCacheTagsTest
!These should be reverted.
And *this* should get
$this->assertCacheContext('user')
.Comment #21
Dinesh18 CreditAttribution: Dinesh18 as a volunteer commentedHere is the updated patch and interdiff.txt
Comment #22
chr.fritschAll tests should be fixed now
Comment #24
chr.fritschI added a dedicated MediaAccessControlHandlerTest.
Comment #25
Wim LeersWanted to RTBC this, but can't just yet — it's getting very close now though:
This is wrong: it's losing the
user.permissions
cache context. This was changed in #22.(Also, FYI: in Drupal core, we never use
camelCase
in local variables, only for class properties. I think you and I are both bored of pointing this out and fixing it :))This is not asserting cacheability. If it were, it'd help with sorting out the other thing I mentioned above :)
EDIT: to help your understanding, run this:
Comment #26
chr.fritsch1. So you mean i have to add cachePerPermissions() to $ownerAccess as well? I had to change it like this, because if the first AccessResult is already forbidden, it's not possible to get it positive with a orIf join.
Comment #27
seanBAddressed #25. Added a bunch of testcases for different combinations of permissions, ownership and published state. Also added asserts for the cache tags.
Please review!
Comment #28
chr.fritschComment #30
phenaproximaThis test is doing a lot of universe-mocking. Maybe it would make more sense as a kernel test?
This is a nit for readability, but all of these can be rewritten as such (obviously no need to do this if we change it to a kernel test):
$this->anon->method('hasPermission)->willReturn(...)
Comment #31
Wim Leers#30.1: that may very well be better indeed — see
\Drupal\Tests\system\Kernel\MenuAccessControlHandlerTest
and\Drupal\Tests\system\Kernel\DateFormatAccessControlHandlerTest
. Note that over there, we also can test cacheability metadata easily!Comment #32
chr.fritschHere is a new patch, based on KernelTestBase
Comment #33
chr.fritschThis needed a re-roll because of #2905748: MediaAccessControlHandler does not provide a helpful reason for when access is denied for the view operation
Comment #35
chr.fritschComment #36
phenaproximaThis looks good. However, I found the test rather difficult to understand (especially the $which_user/$which_entity stuff), so I refactored it a bit...
Comment #37
vijaycs85Here is some review comments:
Do we still need this additional condition? could be moved inside above if?
Really? MediaAccessControlHandlerTest(parent::setup()) already creates user and assign to ->user.
Can we add params in docblock?
Missing docblock.
Can we have better variable name?
Whole container setup can be moved to ::setup().
Comment #38
vijaycs85Comment #39
vijaycs85Functionally tested by following the steps in IS and fix looks working as expected.
Comment #40
phenaproximaAddressing #37:
1. This was already discussed in #25, so leaving as is after consulting with @seanB.
2. Nice catch. Fixed.
3. Fixed.
4. Fixed.
5. No longer relevant :)
6. I had to substantially refactor the test, but I was able to remove this entirely. This was a hack to get around the fact that, in the data provider, the container is not yet initialized -- yet AccessResult's caching methods call container services. I changed all of this so that the mocking is no longer necessary. The test just uses the real cache context manager, as it should be in a kernel test.
Comment #41
vijaycs85cool method. now we are missing docblock for this method :)
Comment #42
phenaproximaWerd to that.
Comment #43
vijaycs85Thanks @phenaproxima. Looks good to go!
Comment #44
catchDoes this need a check for $account->id() > 0? For example a user cancels their account, their content gets re-assigned to user/0, now anonymous users could potentially see the previously unpublished and invisible to everyone else content.
Also is not having a specific 'view own unpublished' permissions like nodes do intentional?
Comment #45
phenaproximaGood points.
After quick discussion with @catch, I think we'll need to ensure that anonymous users do NOT have permission to view unpublished media at any time. So let's account for that case, and add a test to ensure it.
My feeling is that we should also add a 'view own unpublished', but I'm open to debate about that.
Comment #46
chr.fritschI think 'view own unpublished' makes sense for media as well. There could be couple of use cases where this would be useful.
Comment #47
vijaycs85Added the permission and updated the AccessHandler to obey new permission with test coverage.
Comment #48
vijaycs85Comment #49
seanBThe check for "view own unpublished media" should probably be moved to the same check as for
$is_owner
. Right now it seems owner can still get access to own unpublished media without the permission.This also seems to indicate that we should add some more tests for this.
Comment #50
vijaycs85not sure @seanB. $is_owener checks if $account->id(). so anonymous user (id=0) still won't be able to see, even if own media?
Comment #51
phenaproximaI do find this logic a little confusing and hard to follow. Can it be refactored for clarity? Perhaps we could use the ->orIf() functionality of AccessResult. If not, can we at least add a comment?
$media doesn't seem to be used after this.
I don't understand why we're granting permissions to the anonymous role here?
Comment #52
seanBGood one! Missed that. I do think "view own unpublished media" should still be linked to the
$is_owner
check. I think currently the first one checks for the permission, but doesn't actually verify that you are the owner.Comment #53
vijaycs85#51.1 - Sure, I have updated with orIf().
#51.2 - Good catch! removed it.
#51.3 - This is to validate if we give 'view own unpublished media' to anonymous for some reason, still won't be accessible.
#51.4 - Added few cases.
#52 - ok, I feel $is_owner is purely account specific, not permission. Do you still feel (after #51.1 fix) we need an update on $is_owner?
P.S: just to be clear on uid in
Drupal\Tests\media\Kernel\MediaAccessControlHandlerTest::testAccessProvider
: passinguid=>0
would make the entity created by anonymous user as!isset($entity_values['uid'])
would still be FALSE and skip$entity_values['uid'] = $user->id();
.Comment #54
seanBIf I'm not mistaken
allowedIf($account->hasPermission('view own unpublished media') && $account->id() > 0)
will allow access to a media item when I have the "view own" permission, even when I'm not the owner right?It should probably be something like this:
Comment #55
vijaycs85True, my bad. Updated as per suggestion and tests are green locally:
Comment #56
seanBSorry, I think we are almost there. The tests pass even though I think we still have an issue.
This is still missing the $entity->isPublished() check. Currently, owners can seem to view unpublished media with only the "view media" permission?
With the new "view own" permission, I think we no longer want this to be true. The test should be updated accordingly. This one should have failed.
Could we add an extra assert here to verify the anonymous user is able to view published? So we assert a 200 for published media, unpublish it and assert for 403 directly after it. Just to be sure.
Comment #57
vijaycs85I had to re-roll as #2905213: Bring back "access media overview" permission got in.
don't feel sorry, we are improving it every step :)
#56.1 - It feels repeating as the 'view media' and 'published' status are the first checks (which $access_result holds) and I see your point that we don't want to allow owners to see unpublished without 'own unpublished' access. In that case we don't need to do
AccessResult::allowedIf($account->hasPermission('view media') && $entity->isPublished() && $is_owner)
inside if condition as we know for sure, it would fail?#56.2 - Updated
#56.3 - Done.
Tested this patch at #1970534-155: Patch testing issue to make sure, it's all green
Comment #58
seanBI agree, the "view media" permission shouldn't do anything special for your own published media. This looks good to me, nice work. Thanks!
Comment #59
catchThis isn't testing the case where the media is owned by user 0 from #44/#45. The recent changes fix bugs that were trying to handle that case, but it seems like that's happened by not preventing it at all. I think it would be good to expand the test coverage first so we know we're covering everything.
Comment #60
vijaycs85Thanks @catch. You are right, that case is covered in MediaAccessControlHandlerTest not in MediaAccessTest. We can certainly extend it.
Not sure if I understand this correctly. does it mean test-only patch?
Comment #62
phenaproximaBest I can tell, we're good to go here...
Comment #63
larowlanAdding @catch for review credit
Comment #64
larowlanDo we need to assert absence/presence of cache context here too.
nit: do we need the 'view media' here given we added it in previous hunk?
We already did this above. By saving here, I think we invalidate based on
addCacheableDependency($entity)
i.e we're not testing that granting the role/user the permission invalidates the cache. It should (because we usecachePerPermissions
but we're not testing that. So I think we should remove this line.Comment #65
seanBFixed everything in #64. Als moved the tests for 'view own unpublished media' a bit to the top to make the order of the test cases more logical.
Comment #66
chr.fritschChanges are looking good
Comment #67
larowlanpassing this as an array feels a bit icky. Should we just separate them into separate arguments in the assert and provider?
Comment #68
phenaproximaWe could, but then the test method is going to have, like, a bazillion arguments. We are asserting four access results, so each one would require three arguments (allowed/forbidden, cache tags, and cache contexts), for a total of twelve arguments...plus the other arguments the test method takes. Even for a test method, that's too many arguments :) Collapsing them into arrays isn't optimal, but it ultimately makes for more readable code. It'd be even nicer if PHP had tuples, but...well, I don't want to get rant-y.
There was, unfortunately, no other way to do it whilst continuing to use the data provider pattern (which we aren't going to drop, because it allows us to easily test so many different cases). Trying to create the full AccessResult and apply cache tags to it in the data provider would cause exceptions, because the cache context manager makes various static service calls, and the container is not initialized in the data provider. So this is the workaround we came up with -- the previous workaround was a lot ickier. If you have other ideas, I am open to them, but this is the best way we could collectively come up with.
Comment #69
larowlanTrying to test all the operations and create in the same case is the issue I think.
Something like this makes the operation a parameter and splits out create.
So we have more granular test cases, which makes it easier to debug and resolve a fail too.
Doing shows that create is unrelated to the other permissions as there are no entity values, and hence reveal that many of the create tests duplicate each other, as the permissions don't change.
What do you think of this approach instead?
Comment #70
dawehnerDon't you need to add this also for the case that
$is_owner
is false, see #2909138: NodeAccessControlHandler doesn't set current user cache contextComment #71
phenaproximaRe #69 -- that looks good, and is cleaner. Thanks, @larowlan! I have learned from this. :)
Comment #72
larowlanFor #70
Comment #73
chr.fritschI rewrote the node test in #2909138: NodeAccessControlHandler doesn't set current user cache context for media and it has thrown an error. So i added the ->cachePerUser() to fix it.
After that, i had to adjust some contexts from other tests.
Comment #74
phenaproximaSince this is a functional test, it might be preferable to visit the media item itself and assert a response code, no?
I'm not sure we should be asserting raw markup. I think we could probably use XPath here to assert the presence of the element, rather than specific text.
Comment #75
chr.fritschThanks @phenaproxima,
i think that makes sense.
So visiting the actual media object and checking for the elements.
Comment #77
chr.fritschThe failing tests in #75 let think about the changes we did in #73, because basically all unauthorized requests are now un-cacheable.
Comment #78
chr.fritschOk, maybe this might help. Acting differently when we are media owner.
Good that #2765959: Make 4xx REST responses cacheable by (Dynamic) Page Cache + comprehensive cacheability test coverage landed in between...
Comment #80
Wim Leers#77 is correct — #2765959: Make 4xx REST responses cacheable by (Dynamic) Page Cache + comprehensive cacheability test coverage landed between #73 and #75, and is pointing out A) a bug that this patch is introducing, B) the lack of test coverage :)
Comment #81
Wim LeersComment #82
Wim LeersI'd write this differently (see rerolled patch), which makes for this diff instead:
Comment #83
BerdirUnconditional cache per user is AFAIK exactly what the previous patch was trying to avoid, exactly because it in reality disables dynamic page completely on media/X.
NodeAccessControlHandler does something similar, for the same reason (and obviously there it is even more important).
Comment #84
Wim LeersThat's not what that does.
orIf()
should result in the second access result only being incorporated into the final value if the first one didn't already allow access.Comment #85
BerdirFair enough, but the previous code was also wrapped in an owner check, so even if access is denied we don't add the additional cache context unless the current user is the owner.
Of course that is actually a bug, thinking about it, same for nodes. If someone with the same permissions (and other contexts) access a node that you own and are allowed to view as owner, then it will be cached and not re-checked for you, denying you access.
Which perfectly shows the problem with the view own permissions. Doing that correctly would disable dynamic page cache for all nodes, making it useless on most sites.. :)
Comment #87
xjmComment #89
govind.maloo CreditAttribution: govind.maloo at Salsa Digital commentedComment #90
govind.maloo CreditAttribution: govind.maloo at Salsa Digital commentedComment #91
govind.maloo CreditAttribution: govind.maloo at Salsa Digital commentedComment #92
govind.maloo CreditAttribution: govind.maloo at Salsa Digital commentedComment #93
NitebreedThis needs work if the patch in #2936652: Add "view unpublished $bundle media" permissions for each media bundle gets commited
Comment #94
mycw1991 CreditAttribution: mycw1991 commented@govind.maloo
@Wim Leers provided a patch in #82 with several tests, namely :
public function testMediaAnonymousUserAccess
public function testReferencedRendering
class MediaAccessControlHandlerTest
Is there a reason you have not included these?
Comment #95
michael_wojcik CreditAttribution: michael_wojcik as a volunteer and at Mediacurrent commentedRe-rolling the patch from @govind.maloo in #90 for use with Drupal 8.4.x branch.
Comment #96
phenaproximaThis is now a potential blocker for #2878119: Whether queued or not, update the media thumbnail and metadata before beginning the entity save database transaction, so I'm escalating it to Media critical.
Comment #97
phenaproximaDiscussed with @Berdir in Slack. With regard to caching, the long and short of it is:
Comment #98
chr.fritschI started to implement the new proposal based on #78. First I had to reroll the patch. I think the proposed logic is now implemented, but a lot of tests will fail. Couldn't start to fix them, because I have to leave for the airport very soon.
Comment #99
chr.fritschHere is the interdiff
Comment #102
seanBFixed a small issue in the latest patch. We should return access neutral when the node is unpublished and the user is not the owner. Also tried to fix the tests.
Comment #103
marcoscanoSince it's been a year since I worked on this, and the resulting patch is significantly different than what it was at that time, I feel it shouldn't be a problem if I RTBC it.
Looking good, thanks @seanB and @chr.fritsch !
Comment #104
catchFound the following minor issues and one major one:
Should be tests.
Tests access for embedded media items.
Also:
#70 is still an issue as far as I can see.
I think the logic should be like this:
1. If the user doesn't have the 'view own unpublished media' permission, then return AccessResult::neutral() and cache by permission.
2. If the user does have the 'view own unpublished media', then always cache per user, because in this case, we always need to check if the current user is the owner or not.
And this should probably have additional test coverage for that case (i.e. two different users, both of whom have 'view own unpublished media' try to view the same item).
Comment #105
phenaproximaDiscussed with @Berdir and @catch in Slack.
I admit I find this issue hopelessly confusing, so I just threw up my hands and asked them what we want to test. We need to be sure we have a test scenario like this:
Let's make sure we have that.
Comment #106
vijaycs85Fixed all items in #104 and test scenario in #105
Hopefully, I got this right.
Comment #108
seanBWas also working on this, sorry vijaycs85. Just posting what I got since 102.
Fixed the coding standards and points 1/2 from #104. Also expanded the tests in
MediaAccessControlHandlerTest
to make it more obvious what we are testing (we were also missing some of the cases).If this is true, the cache contexts for 'update media' / 'delete media' permissions (which are confusingly enough the permissions for update own / delete own) are probably not correct as well:
Added a new patch with the fixes, the extra tests and the fixes in
MediaAccessControlHandler
.Comment #110
vijaycs85no problem. I am sorry for stepping on @seanB. I thought of ping at #media slack, but I didn't :(
Comment #111
BerdirThis is not the same as before.
Now you always return if the user has the edit own permission, before only if he had access.
So if he has that permission and is not the owner, then he gets access denied now, even if he for example also has the "update any media" permission.
That said, agreed that before it wasn't correct either and could have been cached for a user that has the permission but isn't the owner.
We might need to switch away from early returns, and instead do something like adding by-user cache context always to a created $access result operation is update/delete and user has the respective own-permission.
Comment #112
seanBPlease, don't be sorry. I'm adding the test you wrote to the patch as well, it is a good test to have! Thanks for helping out.
#111 You are right, adding more tests and going to fix this now.
Comment #113
seanBNew patch attached.
Comment #115
phenaproximaLots of great stuff in this patch. I haven't worked on it for a while, so I'd feel comfortable RTBCing with a few changes...
Both permissions are still in media.permissions.yml, which would imply they're not actually deprecated.
Should we also assert the presence of the user.permissions cache context?
Let's use $media_child->setUnpublished()->save() instead of setting 'status' directly.
All of these calls can be chained: entity_get_display()->set()->setComponent()->setComponent()->save(). Also, I think we should display the label of the referenced entity (and the field itself) so that we can assert the absence of known strings, rather than just a CSS selector which we don't control.
Should be string[].
The operations should be single-quoted (e.g. 'view')
Both of these should be string[].
This should be providerAccess, in keeping with existing core conventions.
Can't this just be:
Everything except $expected_result should be string[].
This is never going to be an array.
Should be string[]
Why isn't this AccessResultInterface?
Needs to be called providerAccess(), because any method that starts with test() will be called a test by PHPUnit.
This has got to be one of the most thorough tests in all of core. Amazing work!
Can we change every occurrence of the odd-sounding 'owner permissionless' to 'owner, no permissions'?
"not owner, no permissions"
"owner, can view media"
"not owner, can view media"
"owner, can view unpublished media"
"not owner, can view unpublished media"
"owner, can view unpublished media and update or delete any media"
"owner, can view unpublished media and update or delete own media"
"not owner, can view unpublished media and update or delete own media"
"owner, can view unpublished media and update or delete all media"
"not owner, can view unpublished media and update or delete all media"
I think all the array keys in this data provider also need to be more clearly phrased...
Comment #116
seanB#115
1. That's why it's still a todo with a link to the other issue right?
2. I believe the 'user.permissions' cache context is omitted here because it's folded in the parent 'user' context.
3. Fixed
4. Fixed
5. Fixed
6. Fixed
7. Fixed
8. Fixed
9. Fixed
10. Fixed
11. Fixed
12. Fixed
13. Fixed
14. Fixed
15. Yay!
16. Fixed
17. Fixed
18. Fixed
19. Fixed
20. Fixed
21. Fixed
22. Fixed
23. Fixed
24. Fixed
25. Fixed
26. Fixed
27. Fixed. Basically started over with the cases since some didn't seem to make sense.
Comment #117
phenaproximaInterdiff looks good. This is a critical Media issue that has been in limbo long enough; I feel okay about it.
Comment #118
alexpottThis result should still have
->addCacheableDependency($entity);
as the result can change if the entity changes.The new early return for non-allowed case means that a reason will no longer be set if the user is not the owner.
Comment #119
seanB#118
1. Fixed
2. Fixed
Comment #120
phenaproximaChanges look correct to me. Back to RTBC once green on all backends.
Comment #121
seanBUpgrading this to critical since this is a blocker to commit #2878119: Whether queued or not, update the media thumbnail and metadata before beginning the entity save database transaction, which is also a critical issue.
In #2878119: Whether queued or not, update the media thumbnail and metadata before beginning the entity save database transaction the decision was made to temporarily unpublish media when metadata fetching is queued. We do this to make sure incomplete media items are not shown on the site and/or possibly indexed by search engines. Without the permission added in this issue, there is no way for a user to see the media item that it just created.
Comment #122
effulgentsia CreditAttribution: effulgentsia at Acquia commentedAre the 'update' and 'delete' changes in this patch relevant to this issue? If so, how? If not, can we split them out into a separate issue?
Possibly related, the issue summary's proposed resolution still says "Allow user with create/update/delete permission to view her/his unpublished node", but it doesn't look like that's what the patch implements anymore.
Comment #123
seanBIn this issue we've noted missing test coverage that allowed us to have this "bug" in the first place, so we spent a lot of time getting the tests right. In doing so, we uncovered more bugs, some related to update/delete access. We could remove all the update/delete related test coverage we added and fix the update/delete bugs in a separate issue, but that would mean a lot of work with little added value. I hope we can avoid that.
Updated the IS to reflect the new permission a little better.
Comment #124
alexpottThe issue this is blocking (#2878119: Whether queued or not, update the media thumbnail and metadata before beginning the entity save database transaction) is no longer critical.
Comment #125
phenaproxima@efflugentsia's question is answered, so I think we can go back to RTBC.
Comment #126
effulgentsia CreditAttribution: effulgentsia at Acquia commentedCan the IS be updated to include what those bugs were and how they were fixed?
I think the added value would be a commit history that's clear about what got fixed in what commit. But I don't want to add a lot of extra work to achieve that, so perhaps just a more complete issue summary (and maybe also including it in the issue title too, if possible, since that's what goes into the commit message) is sufficient.
Additional value would be if it turned out we needed a revert for one of the changes (either the change to view access logic, or the change to update/delete logic), we'd be able to do it without reverting the other change. So if it weren't a lot of work to split it, I'd prefer that, but since it is a lot of work to split, I'm okay with taking the risk of keeping it together.
Comment #127
seanBUpdated the IS. Looked over the patch once more. Updated the reasons since they could be improved. Also added the media entity as cacheable dependency for the 'edit any $type media' and 'delete any $type media' since it was missing. This made me notice that we are missing tests for the 'edit any $type media' / 'edit own $type media' and 'delete any $type media' / 'delete own $type media' permissions, so that got added as well.
Comment #129
seanBTest fixes.
Comment #130
phenaproximaDiscussed this in Slack with @seanB.
We understand that this issue has spiraled way out of control, and the patch we have so far now contains both bug fixes and new features. This is obviously very committer-unfriendly, and although the test coverage is stunningly comprehensive, the mixed nature of the patch makes it prone to being reverted. Which would shatter our hearts.
This, according to Sean, is the laundry list of permissions-related bugs we are facing (and trying to fix in this one patch):
Although it saddens us to do it, we have agreed to deal with all of these problems in separate issues, which will be much smaller in scope and a lot easier to review and commit. We're hoping that as many of them as possible can land in 8.6, since they are mostly bug fixes. We will add as much test coverage as we can for each one, drawing from the amazing work that has already been done -- although no single one of them can hope to be as extensive as what we've got in #129 -- and hopefully, once all these are fixed we can add a new mega-test (i.e., the colossal data provider from the latest patch) which extra-confirms all of this stuff works as expected.
So...I'm thinking of turning this into a meta-issue and filing sub-issues for everything mentioned above. Thoughts?
Comment #131
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThat sounds great, thank you! Also, if you want to RTBC #129, and then if any sub-issue's patch contains only a subset of changes from #129, without introducing any additional changes, you can just file the sub-issue as RTBC.
Feel free to split how you'd like, but I would suggest the following:
MediaAccessControlHandlerTest
, withproviderAccess
, and only the items in that provider that pass on HEAD. I can commit that first, so that the remaining ones can be rolled on top of it.providerAccess
items from #129 that pass as a result. If none do until other steps are done, then that's ok too, I'd be fine committing without test coverage, and punting that coverage to a later step.'view own unpublished media'
andproviderAccess
items that that enables.Comment #132
seanBThe attached patch removes all the changes related to the update/delete access. So this should just add some the new permission and extra tests for existing functionality.
Comment #133
seanBCreated follow ups:
#2998824: MediaAccessControlHandler update/delete access caching is not correct
#2998825: MediaAccessControlHandler update/delete access reason contains not existing permissions
Comment #134
alexpottComment #135
seanBUpdated the IS to remove the update/delete access cache issue since that is now a followup.
Comment #136
Wim LeersSo:
Correct?
I think that is already a big simplification in scope: the patch became ~55% smaller.
Comment #137
seanBThat is correct :). Hopefully this is enough to get this done.
Comment #138
Wim LeersWhy does this happen? This seems to contradict the logic in the access control handler?
Nit: s/medias/media items/
Point 1 is the only reason I'm not yet marking this RTBC.
Comment #139
seanBSee #44 and #45. I personally don't have a strong opinion on this. I think you shouldn't grant 'view own unpublished media' to anonymous users anyway, but I don't have any problems enforcing that.
Comment #140
Wim LeersI should've been more clear: I am fine with the behavior, I just don't see how the patch in #132 is making that happen!
I see a check for user
0
in #47's patch, but not in #132. What am I missing?Comment #141
seanBAh, no worries. In
MediaAccessControlHandler
the$is_owner
variable is:$is_owner = ($account->id() && $account->id() === $entity->getOwnerId());
That means users with ID zero can never be considered an owner. So that uid check was not necessary.
Comment #143
Web-BeestThank you @seanB for mentioning this on Slack. I've been stuck on this for too long. I hope it'll be fixed soon :-)
Comment #144
Wim LeersI completely lost track of this, sorry for the lost month :( Reviewing later today.
Comment #145
Wim Leers👍 If the current user has the
view own unpublished media
permission, this is associating theuser
cache context always. That was the most risky detail to get right.🔎👀 This if-test is not necessary it can just become
->setReason(…)
:)👍 The new message is definitely clearer.
👍 Very clear.
🔎👀 Prior to unpublishing it, I think we should assert a 200 response code. (Either that, or we should just remove the assertions on lines 104–106.)
👍 This is explicitly asserting what I called out in point 1. It also is explicitly testing the presence of the
user
cache context. 👏🤔 +1 to this behavior …
but I don't see where theAhhhh this line in HEAD:MediaAccessControlHandler
is making this happen?🤔 I think we might want to assert that the
user
cache context is present in both cases.I also think we want a third user with only the
view media
permission: they should also not be able to see the child title, but they should NOT get theuser
cache context.Nit: s/entity/entity type/ or s/entity//
👏👏👏👏👏
Comment #146
seanBThis apparently needed a reroll, so the interdiff also contains things needed to fix the tests.
Besides that I fixed #145.
Comment #147
Wim LeersHah, nice catch!
Comment #148
phenaproximaAdding credit for @Berdir and @effulgentsia, for important reviews.
Comment #151
effulgentsia CreditAttribution: effulgentsia at Acquia commentedPushed to 8.8.x and 8.7.x.
Comment #152
Wim LeersNice, this unblocked #2998824: MediaAccessControlHandler update/delete access caching is not correct!