Problem/Motivation

media_library.api.php states that while the media library itself is very opinionated, the openers act as a bridge between the system and the library: "An opener is a "bridge" between the opinionated media library modal dialog and whatever is consuming it"

Yet when you look into MediaLibraryFieldWidgetOpener, it is still very opinionated about where it's being used when it comes to access. This has lead to several bug reports so far and it's likely to keep leading to bug reports as implementing code changes on the access level because the opener should frankly not be assuming anything about access checks. Some examples:

Proposed resolution

Simply remove the access checks from the opener. If you're on an entity form using the media library, you obviously have access to be on said form. The media library should then only check for access to the media library. If we stop double-confirming whether you should actually be on the form, all of these bug reports go away.

Remaining tasks

Remove the access checking logic altogether.

API changes

Remove the access checking logic altogether.

Comments

kristiaanvandeneynde created an issue. See original summary.

zenimagine’s picture

zenimagine commented
Related issues: +#3326649: Media field not working properly since last update
jeffm2001’s picture

jeffm2001 commented
Related issues: +#3038254: Delegate media library access to the "thing" that opened the library

I ran into an issue around this as well, and while I tend to agree it's too opinionated, I did find the original discussion of why these checks were added. It seems like useful context to have, if nothing else.

#3038254: Delegate media library access to the "thing" that opened the library starting around comment 62

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

erik.erskine’s picture

erik.erskine commented

We've come up against two cases where a user should quite legitimately be able to use the media library but does not have the create access: group and layout builder.

I am interested in why checkAccess exists at all. As far as I can tell, it doesn't add anything useful. Especially given that while MediaLibraryFieldWidgetOpener considers the entity/bundle you're working on, MediaLibraryEditorOpener (used for ckeditor-added media) does not, and in fact does not even know what the entity/bundle are.

As a workaround, we have created the Media library unrestricted access sandbox module. It defines a unrestricted access to the media library permission and bypasses the createAccess check if the user has that permission. It's one stop short of the change this issue proposes, but could be a useful workaround in the meantime.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.