media_of field doesn't consider permissions yet

[bseeger]

The media_of field on Media Types needs a permission check to ensure that the user can put that media on the node they are trying to attach it to. The user's permissions need to be considered in the same way that they are on member_of field on nodes (https://github.com/jhu-idc/idc-isle-dc/issues/108).

@jordandukart notes that we can add a condition to the check that's happening in the https://github.com/jhu-idc/idc_defaults/blob/main/idc_defaults.module#L10-L20.

His notes:

Jordan Dukart  9:54 AM
https://github.com/jhu-idc/idc_defaults/blob/main/idc_defaults.module#L10-L20, could add a condition there that looks for whatever other field
idc_defaults.module
/**
 * Implements hook_entity_bundle_field_info_alter().
 */
function idc_defaults_entity_bundle_field_info_alter(&$fields, EntityTypeInterface $entity_type, $bundle) {
  if (isset($fields['field_member_of'])) {
Show more
<https://github.com/jhu-idc/idc_defaults|jhu-idc/idc_defaults>jhu-idc/idc_defaults | Added by GitHub

9:54
if (isset($fields['field_media_of'])) {
  $fields['field_media_of']->addConstraint('WorkbenchAccess');
}
or whatever.

Note that if we don't fix this, users will will be able to put media on any node they choose and they will not be limited to nodes they actually have access to.

[htpvu]

Ideally, we should get this done before handing iDC over to LAG. this affect data integrity by being too permissive .

[jhu-alistair]

media_of file is in a media item and links to the repository item. Per John looks like if someone has access to edit any media items, then they have the ability to edit any media item records even to collections where they do not have permissions.