Issue #3038350 by seanB, Wim Leers, effulgentsia: Deny access to all media...

Issue #3038350 by seanB, Wim Leers, effulgentsia: Deny access to all media library View Displays if there is no valid state object

core/modules/media_library/media_library.services.yml

@@ -2,3 +2,7 @@ services:
   media_library.ui_builder:
     class: Drupal\media_library\MediaLibraryUiBuilder
     arguments: ['@entity_type.manager', '@request_stack', '@views.executable', '@form_builder']
+  media_library.route_subscriber:
+    class: Drupal\media_library\Routing\RouteSubscriber
+    tags:
+      - { name: event_subscriber }

core/modules/media_library/src/Routing/RouteSubscriber.php

+<?php
+
+namespace Drupal\media_library\Routing;
+
+use Drupal\Core\Routing\RouteSubscriberBase;
+use Symfony\Component\Routing\RouteCollection;
+
+/**
+ * Subscriber for media library routes.
+ */
+class RouteSubscriber extends RouteSubscriberBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function alterRoutes(RouteCollection $collection) {
+    // Add the media library UI access checks to the widget displays of the
+    // media library view.
+    if ($route = $collection->get('view.media_library.widget')) {
+      $route->addRequirements(['_custom_access' => 'media_library.ui_builder:checkAccess']);
+    }
+    if ($route = $collection->get('view.media_library.widget_table')) {
+      $route->addRequirements(['_custom_access' => 'media_library.ui_builder:checkAccess']);
+    }
+  }
+
+}

core/modules/media_library/tests/src/FunctionalJavascript/MediaLibraryTest.php

@@ -292,6 +292,8 @@ public function testWidgetAccess() {
     // Verify that unprivileged users can't access the widget view.
     $this->drupalGet('admin/content/media-widget', $url_options);
     $assert_session->responseContains('Access denied');
+    $this->drupalGet('admin/content/media-widget-table', $url_options);
+    $assert_session->responseContains('Access denied');
     $this->drupalGet('media-library', $url_options);
     $assert_session->responseContains('Access denied');
 
@@ -302,12 +304,23 @@ public function testWidgetAccess() {
     ]);
     $this->drupalGet('admin/content/media-widget', $url_options);
     $assert_session->elementExists('css', '.view-media-library');
+    $this->drupalGet('admin/content/media-widget-table', $url_options);
+    $assert_session->elementExists('css', '.view-media-library');
     $this->drupalGet('media-library', $url_options);
     $assert_session->elementExists('css', '.view-media-library');
     // Assert the user does not have access to the media add form if the user
     // does not have the 'create media' permission.
     $assert_session->fieldNotExists('files[upload][]');
 
+    // Assert users can not access the widget displays of the media library view
+    // without a valid media library state.
+    $this->drupalGet('admin/content/media-widget');
+    $assert_session->responseContains('Access denied');
+    $this->drupalGet('admin/content/media-widget-table');
+    $assert_session->responseContains('Access denied');
+    $this->drupalGet('media-library');
+    $assert_session->responseContains('Access denied');
+
     // Assert users with the 'create media' permission can access the media add
     // form.
     $this->grantPermissions($role, [