Drupal media access control should be the same as the referencing content node access and privacy settings

In the new version, we would like to have this fixed so that folks can add things from the media library (assuming that they can only see files associated with content items that have not be designated as private). Do content permissions sync with file permissions?

There are two additional layers of access after the content:

  1. Passing on the content item (node)’s permissions to the media item.
  2. Preventing access to the actual file if someone does not have access to the media item.

Note that the equivalent to 2 is not a feature of many current sites— if you can guess a path to the file, you can see it. So only addressing 1 here, for now. (Once the media access is controlled, addressing 2 is a matter of enabling and using private files. More here Make Media Library work with private files ? and here, plus an issue about documenting supporting private files for media).

One one set of sites we have it is certainly worth filing an issue with Access Policy module that we are already using. It already supports multiple entity types including (it seems?) media. There may already be a way to configure the module to do this, or the feature may be readily embraced by the amazingly responsive maintainer.

Or, as an issue closed as duplicate put it: Access to files attached via media entities should be ultimately controlled by the published state of related content