Quantcast
Viewing all articles
Browse latest Browse all 295547

Add "view $bundle media" permission

April 11, 2023, 9:22 am
$
0
0

Problem/Motivation

Creating a media item with restricted (limited to certain roles) view / download access is not possible.

An example for this would be a media type "private documents" which should only be available for elevated user roles and not to anyone having "view media" permission.

In #2862422: Add per-media type creation permissions for media most permissions were split into bundle permissions, but "view media" wasn't. For view unpublished $bundle media there's already an issue: #2936652: Add "view unpublished $bundle media" permissions for each media bundle but that doesn't solve the problem for published media with restricted view access.

#2904842: Make private file access handling respect the full entity reference chain goes even further by determining the media entity access by the parent entities, but that seems to be far future. For example, it's blocked by heavy tasks like #2835840: Track media usage and present it to the site builder (in the media library, media view, on media deletion confirmation, etc.)
In https://drupal.org/project/media_private_access some of the ideas were already implemented, also the view $bundle media permission requested here was implemented experimentally:
https://git.drupalcode.org/project/media_private_access/-/blob/8.x-1.x/s...

Steps to reproduce

Add a media type, which files should only be accessible for certain roles, like "customer", "team member", "forum member" or whoever.
See that it's not possible, as there's only the global "view media" permission and no view media permission per bundle.

There's no way to restrict media bundles access to certain roles without custom code, while granular permissions exist for CRUD!

Proposed resolution

  1. Introduce view $bundle media permission
  2. Grant view $bundle media for all bundles for anyone, who had view media permission before, like it was already done for create / edit / delete in #2936652: Add "view unpublished $bundle media" permissions for each media bundle and rename "View media" to "View any media"
  3. Deprecate general "view media" permission with #2925459: Deprecate generic media permissions

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Search
Viewing all articles
Browse latest Browse all 295547
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>