Quantcast
Channel: Issues for Drupal core
Viewing all articles
Browse latest Browse all 295248

The media library should perform access checks against the revision of the entity being edited

$
0
0

Problem/Motivation

Currently when the media library does access checking on the entity that opened the media library, it does so by loading the entity using a simple \Drupal\Core\Entity\EntityStorageInterface::load. When editing inline blocks and layout builder both of these things are true:

  • You aren't guaranteed to be modifying the latest or default revision of an inline block.
  • The revision ID of an inline block is very important to it's access control.

Steps to reproduce:

  • Enable media_library, layout_builder.
  • Add a media field + media library to a custom block type.
  • Enable layout builder + per entity overrides on a content type.
  • Embed a block with the media library field into a per entity override.
  • Create two revisions, modify the inline block in both.
  • Go to the "Revisions" tab and revert to the first revision.
  • Go back to the layout tab and try to edit and save a new image in the media library.
  • AJAX request will come back a 403.

What is happening under the hood:

  • The media library has an block content entity ID.
  • It loads that entity and checks access against it.
  • The inline block's access is based on it's host entity, so it loads the host and confirms the revision ID of the block is used on the layout (\Drupal\layout_builder\EventSubscriber\SetInlineBlockDependency::isBlockRevisionUsedInEntity).
  • The media libraries ::load call doesn't match the actual revision ID in the layout and the access chain is broken, resulting in an access denied.

Proposed resolution

Pass the host entity's revision ID around, instead of it's ID and load that instead for the purposes of access control.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet


Viewing all articles
Browse latest Browse all 295248

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>