Issue #3017935 by chr.fritsch, Wim Leers, alexpott, phenaproxima: Media items should not be available at /media/{id} to users with 'view media' permission by default

Author: alexpott

core/modules/media/config/install/media.settings.yml

@@ -1,3 +1,4 @@
 icon_base_uri: 'public://media-icons/generic'
 iframe_domain: ''
 oembed_providers_url: 'https://oembed.com/providers.json'
+standalone_url: false

core/modules/media/config/schema/media.schema.yml

@@ -11,6 +11,9 @@ media.settings:
     oembed_providers_url:
       type: uri
       label: 'The URL of the oEmbed providers database in JSON format'
+    standalone_url:
+      type: boolean
+      label: 'Allow media items to be viewed standalone at /media/{id}'
 
 media.type.*:
   type: config_entity

core/modules/media/media.links.task.yml

@@ -1,18 +1,5 @@
-entity.media.canonical:
-  title: View
-  route_name: entity.media.canonical
-  base_route: entity.media.canonical
-
-entity.media.edit_form:
-  title: Edit
-  route_name: entity.media.edit_form
-  base_route: entity.media.canonical
-
-entity.media.delete_form:
-  title: Delete
-  route_name: entity.media.delete_form
-  base_route: entity.media.canonical
-  weight: 10
+media.tasks:
+  deriver: 'Drupal\media\Plugin\Derivative\DynamicLocalTasks'
 
 entity.media_type.edit_form:
   title: Edit

core/modules/media/media.module

@@ -347,3 +347,14 @@ function _media_get_add_url($allowed_bundles) {
 
   return FALSE;
 }
+
+/**
+ * Implements hook_entity_type_alter().
+ */
+function media_entity_type_alter(array &$entity_types) {
+  if (\Drupal::config('media.settings')->get('standalone_url')) {
+    /** @var \Drupal\Core\Entity\ContentEntityTypeInterface $entity_type */
+    $entity_type = $entity_types['media'];
+    $entity_type->setLinkTemplate('canonical', '/media/{media}');
+  }
+}

core/modules/media/media.post_update.php

@@ -18,3 +18,13 @@ function media_post_update_collection_route() {
 function media_post_update_storage_handler() {
   // Empty post-update hook.
 }
+
+/**
+ * Keep media items viewable at /media/{id}.
+ */
+function media_post_update_enable_standalone_url() {
+  \Drupal::configFactory()
+    ->getEditable('media.settings')
+    ->set('standalone_url', TRUE)
+    ->save(TRUE);
+}

core/modules/media/media.services.yml

@@ -19,3 +19,8 @@ services:
   media.oembed.iframe_url_helper:
     class: Drupal\media\IFrameUrlHelper
     arguments: ['@router.request_context', '@private_key']
+  media.config_subscriber:
+    class: Drupal\media\EventSubscriber\MediaConfigSubscriber
+    arguments: ['@router.builder', '@cache_tags.invalidator', '@entity_type.manager']
+    tags:
+      - { name: event_subscriber }

core/modules/media/src/Entity/Media.php

@@ -43,7 +43,7 @@
  *     "translation" = "Drupal\content_translation\ContentTranslationHandler",
  *     "views_data" = "Drupal\media\MediaViewsData",
  *     "route_provider" = {
- *       "html" = "Drupal\Core\Entity\Routing\AdminHtmlRouteProvider",
+ *       "html" = "Drupal\media\Routing\MediaRouteProvider",
  *     }
  *   },
  *   base_table = "media",
@@ -75,7 +75,7 @@
  *   links = {
  *     "add-page" = "/media/add",
  *     "add-form" = "/media/add/{media_type}",
- *     "canonical" = "/media/{media}",
+ *     "canonical" = "/media/{media}/edit",
  *     "collection" = "/admin/content/media",
  *     "delete-form" = "/media/{media}/delete",
  *     "delete-multiple-form" = "/media/delete",

core/modules/media/src/EventSubscriber/MediaConfigSubscriber.php

@@ -0,0 +1,92 @@
+<?php
+
+namespace Drupal\media\EventSubscriber;
+
+use Drupal\Core\Cache\CacheTagsInvalidatorInterface;
+use Drupal\Core\Config\ConfigCrudEvent;
+use Drupal\Core\Config\ConfigEvents;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Routing\RouteBuilderInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Listens to the config save event for media.settings.
+ */
+class MediaConfigSubscriber implements EventSubscriberInterface {
+
+  /**
+   * The route builder.
+   *
+   * @var \Drupal\Core\Routing\RouteBuilderInterface
+   */
+  protected $routeBuilder;
+
+  /**
+   * The cache tags invalidator.
+   *
+   * @var \Drupal\Core\Cache\CacheTagsInvalidatorInterface
+   */
+  protected $cacheTagsInvalidator;
+
+  /**
+   * The entity type manager.
+   *
+   * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+   */
+  protected $entityTypeManager;
+
+  /**
+   * Constructs the MediaConfigSubscriber.
+   *
+   * @param \Drupal\Core\Routing\RouteBuilderInterface $router_builder
+   *   The route builder.
+   * @param \Drupal\Core\Cache\CacheTagsInvalidatorInterface $cache_tags_invalidator
+   *   The cache tags invalidator.
+   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
+   *   The entity type manager.
+   */
+  public function __construct(RouteBuilderInterface $router_builder, CacheTagsInvalidatorInterface $cache_tags_invalidator, EntityTypeManagerInterface $entity_type_manager) {
+    $this->routeBuilder = $router_builder;
+    $this->cacheTagsInvalidator = $cache_tags_invalidator;
+    $this->entityTypeManager = $entity_type_manager;
+  }
+
+  /**
+   * Updates entity type definitions and ensures routes are rebuilt when needed.
+   *
+   * @param \Drupal\Core\Config\ConfigCrudEvent $event
+   *   The ConfigCrudEvent to process.
+   */
+  public function onSave(ConfigCrudEvent $event) {
+    $saved_config = $event->getConfig();
+    if ($saved_config->getName() === 'media.settings' && $event->isChanged('standalone_url')) {
+      $this->cacheTagsInvalidator->invalidateTags([
+        // The configuration change triggers entity type definition changes,
+        // which in turn triggers routes to appear or disappear.
+        // @see media_entity_type_alter()
+        'entity_types',
+        // The 'rendered' cache tag needs to be explicitly invalidated to ensure
+        // that all links to Media entities are re-rendered. Ideally, this would
+        // not be necessary; invalidating the 'entity_types' cache tag should be
+        // sufficient. But that cache tag would then need to be on nearly
+        // everything, resulting in excessive complexity. We prefer pragmatism.
+        'rendered',
+      ]);
+      // @todo Remove this when invalidating the 'entity_types' cache tag is
+      // respected by the entity type plugin manager. See
+      // https://www.drupal.org/project/drupal/issues/3001284 and
+      // https://www.drupal.org/project/drupal/issues/3013659.
+      $this->entityTypeManager->clearCachedDefinitions();
+      $this->routeBuilder->setRebuildNeeded();
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function getSubscribedEvents() {
+    $events[ConfigEvents::SAVE][] = ['onSave'];
+    return $events;
+  }
+
+}

core/modules/media/src/Form/MediaSettingsForm.php

@@ -3,6 +3,7 @@
 namespace Drupal\media\Form;
 
 use Drupal\Core\Config\ConfigFactoryInterface;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Form\ConfigFormBase;
 use Drupal\media\IFrameUrlHelper;
@@ -22,17 +23,27 @@ class MediaSettingsForm extends ConfigFormBase {
    */
   protected $iFrameUrlHelper;
 
+  /**
+   * The entity type manager.
+   *
+   * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+   */
+  protected $entityTypeManager;
+
   /**
    * MediaSettingsForm constructor.
    *
    * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
    *   The config factory service.
    * @param \Drupal\media\IFrameUrlHelper $iframe_url_helper
    *   The iFrame URL helper service.
+   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
+   *   The entity type manager.
    */
-  public function __construct(ConfigFactoryInterface $config_factory, IFrameUrlHelper $iframe_url_helper) {
+  public function __construct(ConfigFactoryInterface $config_factory, IFrameUrlHelper $iframe_url_helper, EntityTypeManagerInterface $entity_type_manager) {
     parent::__construct($config_factory);
     $this->iFrameUrlHelper = $iframe_url_helper;
+    $this->entityTypeManager = $entity_type_manager;
   }
 
   /**
@@ -41,7 +52,8 @@ public function __construct(ConfigFactoryInterface $config_factory, IFrameUrlHel
   public static function create(ContainerInterface $container) {
     return new static(
       $container->get('config.factory'),
-      $container->get('media.oembed.iframe_url_helper')
+      $container->get('media.oembed.iframe_url_helper'),
+      $container->get('entity_type.manager')
     );
   }
 
@@ -91,6 +103,13 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       '#description' => $this->t('Enter a different domain from which to serve oEmbed content, including the <em>http://</em> or <em>https://</em> prefix. This domain needs to point back to this site, or existing oEmbed content may not display correctly, or at all.'),
     ];
 
+    $form['security']['standalone_url'] = [
+      '#prefix' => '<hr>',
+      '#type' => 'checkbox',
+      '#title' => $this->t('Standalone media URL'),
+      '#default_value' => $this->config('media.settings')->get('standalone_url'),
+      '#description' => $this->t("Allow users to access @media-entities at /media/{id}.", ['@media-entities' => $this->entityTypeManager->getDefinition('media')->getPluralLabel()]),
+    ];
     return parent::buildForm($form, $form_state);
   }
 
@@ -100,6 +119,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
   public function submitForm(array &$form, FormStateInterface $form_state) {
     $this->config('media.settings')
       ->set('iframe_domain', $form_state->getValue('iframe_domain'))
+      ->set('standalone_url', $form_state->getValue('standalone_url'))
       ->save();
 
     parent::submitForm($form, $form_state);

core/modules/media/src/Plugin/Derivative/DynamicLocalTasks.php

@@ -0,0 +1,94 @@
+<?php
+
+namespace Drupal\media\Plugin\Derivative;
+
+use Drupal\Component\Plugin\Derivative\DeriverBase;
+use Drupal\Core\Config\ConfigFactoryInterface;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\Core\Plugin\Discovery\ContainerDeriverInterface;
+use Drupal\Core\StringTranslation\StringTranslationTrait;
+use Drupal\Core\StringTranslation\TranslationInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+/**
+ * Generates media-related local tasks.
+ */
+class DynamicLocalTasks extends DeriverBase implements ContainerDeriverInterface {
+
+  use StringTranslationTrait;
+
+  /**
+   * The entity type manager.
+   *
+   * @var \Drupal\Core\Entity\EntityTypeManagerInterface
+   */
+  protected $entityTypeManager;
+
+  /**
+   * The media settings config.
+   *
+   * @var \Drupal\Core\Config\ImmutableConfig
+   */
+  protected $config;
+
+  /**
+   * Creates a DynamicLocalTasks object.
+   *
+   * @param \Drupal\Core\StringTranslation\TranslationInterface $string_translation
+   *   The translation manager.
+   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
+   *   The entity type manager.
+   * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
+   *   The config factory.
+   */
+  public function __construct(TranslationInterface $string_translation, EntityTypeManagerInterface $entity_type_manager, ConfigFactoryInterface $config_factory) {
+    $this->stringTranslation = $string_translation;
+    $this->entityTypeManager = $entity_type_manager;
+    $this->config = $config_factory->get('media.settings');
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container, $base_plugin_id) {
+    return new static(
+      $container->get('string_translation'),
+      $container->get('entity_type.manager'),
+      $container->get('config.factory')
+    );
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getDerivativeDefinitions($base_plugin_definition) {
+    // Provide an edit_form task if standalone media URLs are enabled.
+    $this->derivatives["entity.media.canonical"] = [
+      'route_name' => "entity.media.canonical",
+      'title' => $this->t('Edit'),
+      'base_route' => "entity.media.canonical",
+      'weight' => 1,
+    ] + $base_plugin_definition;
+
+    if ($this->config->get('standalone_url')) {
+      $this->derivatives["entity.media.canonical"]['title'] = $this->t('View');
+
+      $this->derivatives["entity.media.edit_form"] = [
+        'route_name' => "entity.media.edit_form",
+        'title' => $this->t('Edit'),
+        'base_route' => 'entity.media.canonical',
+        'weight' => 2,
+      ] + $base_plugin_definition;
+    }
+
+    $this->derivatives["entity.media.delete_form"] = [
+      'route_name' => "entity.media.delete_form",
+      'title' => $this->t('Delete'),
+      'base_route' => "entity.media.canonical",
+      'weight' => 10,
+    ] + $base_plugin_definition;
+
+    return $this->derivatives;
+  }
+
+}