Problem/Motivation
Access to media files in the private file space is governed solely by 'view media' permission and publishing status. This means private assets are still visible, even if access to the node that relates to these media is forbidden.
Proposed resolution
The ideal way to fix this is to make media entities respect access control of their "parent" content. There's an earlier patch from @solide-echt that attempts to do this. However, this is tricky, because file_usage is tracking the entity that has the file attached; that means the media entity (*this* entity), not the node. There's an issue to resolve this at #2835840: Track media usage and present it to the site builder (in the media library, media view, on media deletion confirmation, etc.).
Without this, each media access check would involve the file usage query, N entity queries and then an access check for each matching entity, etc. While this might work as a site specific solution that has limited fields/content, it does not work as a generic solution in core.
Remaining tasks
This issue is blocked by #2835840 (see above, and comment #8). But then...
- Discuss what the best approach for respecting the access in the whole relationship chain is
- Implement it
A proof-of-concept for testing out possible solutions is being started in contrib at https://drupal.org/project/media_private_access
User interface changes
TBD
API changes
TBD
Data model changes
TBD
Original report by solide-echt:
When the private file space is used for media access control to the media entities and underlying files is AFAIK governed solely by 'view media' permission and publishing status, as defined in /modules/media/src/MediaAccessControlHandler.php:
return AccessResult::allowedIf($account->hasPermission('view media') && $entity->isPublished())
->cachePerPermissions()
->addCacheableDependency($entity);
This means private assets are still visible, even if access to the node that relates to these media is forbidden. Although media is focused on re-using existing media I believe the possibility to re-use media should not include assets that are meant to be private.
I've attached a patch as a first attempt to include access permissions to media based on the following assumptions and limitations:
- Access to private media is denied by default
- Access is granted if the user has access to at least one entity the user has access to
- Permissions are checked for node entities only for now (though I think generalisation should not be that hard..).
- I need to find a way to filter unaccessible assets from views, e.g. in admin/content/files, as file names etc are still shown
Although a long time Drupal user this is my first patch for Drupal 8 core, so please bear with me ;-)
Eric
