Open bseeger opened 3 years ago
Ideally, we should get this done before handing iDC over to LAG. this affect data integrity by being too permissive .
media_of file is in a media item and links to the repository item. Per John looks like if someone has access to edit any media items, then they have the ability to edit any media item records even to collections where they do not have permissions.
The
media_of
field on Media Types needs a permission check to ensure that the user can put that media on the node they are trying to attach it to. The user's permissions need to be considered in the same way that they are onmember_of
field on nodes (https://github.com/jhu-idc/idc-isle-dc/issues/108).@jordandukart notes that we can add a condition to the check that's happening in the https://github.com/jhu-idc/idc_defaults/blob/main/idc_defaults.module#L10-L20.
His notes:
Note that if we don't fix this, users will will be able to put media on any node they choose and they will not be limited to nodes they actually have access to.