Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
When attempting to attach a media entity via the Media Library to a translated revisioned entity, it gives a 403 access denied – no reason.
The problem is in \Drupal\media_library\MediaLibraryFieldWidgetOpener::checkAccess
If the parameters from the media library state have a revision ID, it is loaded without fetching the translation from context.
if (!empty($parameters['revision_id'])) {
$entity = $storage->loadRevision($parameters['revision_id']);
The following access check is always forbidden:
$entity_access = $access_handler->access($entity, 'update', $account, TRUE);
When loading the translation from context, access is now allowed.
if (!empty($parameters['revision_id'])) {
$entity = $storage->loadRevision($parameters['revision_id']);
$entity_repository = \Drupal::getContainer()->get('entity.repository');
$entity = $entity_repository->getTranslationFromContext($entity);
Steps to reproduce
User with permissions:
- 'create content translations'
- 'delete content translations'
- 'translate any entity'
- 'translate editable entities'
- 'update content translations'
- 'create file media'
- 'create image media'
- 'create remote_video media'
- 'update media'
Proposed resolution
Pass the entity to the entity repository getTranslationFromContext method.
Pending finding a solution for the case of entity translation creation (the translation can not be fetched).
Remaining tasks
Write a test.
Cover the entity translation case.
Create a Change Record.
Add trigger_error for backwards compatibility.
User interface changes
API changes
Data model changes
Release notes snippet
Issue fork drupal-3197416
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
- 3197416-medialibraryfieldwidgetopenercheckaccess-denies-access-11-x
changes, plain diff MR !4516 - 3197416-medialibrary-fieldwidgetopenercheckaccess-denies-access-on-a-translated-entity-revision changes, plain diff MR !9450
- 3197416-medialibraryfieldwidgetopenercheckaccess-denies-access-9-5-x changes, plain diff MR !4515
- 11.x compare
- 9.2.x compare
Comments
Comment #3
mglamanChecking if tests pass as is.
Comment #7
smustgrave commentedCan you update the MR to the 9.5 or 10.1.x branch and check for errors?
Also for the tests.
Great issue summary!
Comment #10
eduardo morales albertiSame problem here!
I will try the patch
Comment #13
eduardo morales albertiAdded patch from the MR.
Comment #15
eduardo morales alberti@smustgrave is there anything else that should be reviewed? In our case, the patch seems to work well.
Comment #16
smustgrave commentedLeft some comments on the MR and this will still need a test
Comment #17
eduardo morales albertiThis seems that is not working on the create translation operation because the method getTranslationFromContext checks translations that already exist.
Comment #18
eduardo morales albertiComment #19
berdirI'm running into an edge case that's even trickier, in combination with #3047022: Layout builder fails to assign inline block access dependencies for the overrides section storage on entities with pending revisions as well as contrib layout builder modules, somehow the revision doesn't match what layout builder has.
But I suspect it's neither this nor the other issue, because what matters for layout builder is the revision id, which is the same. And i'm also seeing access denied results within the layout builder edit form for the delete button access check, so it's also confused about that. The site also uses modules like layout_builder_st and the content was cloned, so there so many possible things that could have and did go wrong.
Just documenting my findings for now in case someone else runs into a similar issue. Considering a custom patch that just grants full unconditional access to anything as we have no access restrictions for editors.
Comment #20
miksha commentedI have a translator role that doesn't have edit permissions. I also encountered the same when adding/updating translations with this role that AJAX error happens with message that user needs edit permission for entity type where media field is calling media library in order to change field value. I made a patch for this but not sure if it's the right approach or if it covers all situations but what I tested and works is that user with just `translate any entity` and without `edit` permissions is able to create new translation and also update media field. Editing existing translation and updating media field also works. Solution also covers translating entities other than nodes e.g. taxonomies with media field etc.
This issue is related to https://www.drupal.org/project/drupal/issues/3038254 where access check was also delegated further.
Comment #21
matt bI've just hit the same issue. I'm busy enabling translation on my site, having had issues years back with Media when it was a contrib module, I'd resisted implementing. Enabled it in D10 and hit this. Media does give a nice interface, but this issue means it is still unusable.
Comment #22
matt bI've applied both patchs and the issue is fixed for me.
Comment #23
needs-review-queue-bot commentedThe Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".
This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #24
matt bJust re-ran composer update and second patch (#20) won't apply, but I'm working fine with the first patch (#13)
Comment #26
miksha commentedI tested 11.x locally and it still has the same issue that my patch in #20 fixes. I created a new MR against 11.x and combined changes from both #13 & #20 patches. For me this fixes the AJAX error when translator role user has permissions like defined in issue description under Steps to reproduce but at the same time has no edit permissions.
Comment #27
smustgrave commentedWas previously tagged for tests so moving to NW for those.