Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Not sure what module this issue belongs to. It may be resulting from somewhere else but I'll start here.
On new install anonymous users see content with youtube video as expected but also see above the video a menu with two items, Edit and Delete. These are links to the paths file/%/edit and file/%/delete.
With the recent commit to media #2349977: DoS image derivatives in Media WYSIWYG these paths return access denied.
It's a surprise to see this menu showing to anonymous users and not showing to admin roles when logged in. See attached screen shot. Firebug shows them to be contextual links.
Any suggestions on how to not show this to anonymous users would be appreciated.
| Comment | File | Size | Author |
|---|---|---|---|
| anon-users-see-file-menu-edit-delete.png | 7.6 KB | izmeez |
Comments
Comment #1
gmclelland commentedNot sure, but this is probably due to this issue #2194821: Embedded media objects should honor display suite settings
Comment #2
izmeez commented@gmclelland thanks for the link.
It lead me to #2401811: With Media WYSIWYG enabled - "Contextual links" are shown for anonymous users which I think makes this issue a duplicate. I'm going to close this. The other thread has a patch for review so I'll take a look.
Thanks.