WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#20638 closed defect (bug) (duplicate)

Users without "edit_posts" capability unable to use async-upload if given capabilities for custom post type

Reported by: fabrizim Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.2
Component: Upload Keywords:
Focuses: Cc:

Description

The problem:

After checking a users capaiblity to "upload_files", async-upload.php pulls the current attachment during a fetch and checks the "edit_post" capability for that attachment. Because the meta capability mapped to attachment post type is "edit_post", if the current user does not have that enabled, the upload will fail. This can happen when an environment is setup with new roles that do not allow users to edit_posts, but do allow a different capability_type on a custom post type.

The fix:

Pull the attachments parent post and check the edit_post capability for that posts content type instead.

Bug in Source:

http://core.trac.wordpress.org/browser/trunk/wp-admin/async-upload.php#L37

Temporary Workaround:

add_filter('user_has_cap', 'async_upload_cap_fix', 10, 3);
function async_upload_cap_fix($all, $caps, $args)
{
    $cap = $args[0];
    if( basename($_SERVER['SCRIPT_NAME']) != 'async-upload.php' || $cap != 'edit_post' ) return $all;
    $post = get_post( $args[2] );
    if( get_post_type( $post ) != 'attachment' ) return $all;
    // get the parent post
    $post = get_post( $post->post_parent );
    $post_type_object = get_post_type_object( $post->post_type );
    if( user_can( $args[1], $post_type_object->cap->edit_post, $post->ID) ){
        foreach( $caps as $cap ) $all[$cap] = 1;
    }
    return $all;
    
}

I am not sure how to add a patch, or how you would best like to add it in, so I will just leave that temporary workaround for now.

Change History (2)

comment:1 @johnbillion3 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Dupe of #19817. See also #19834.

comment:2 @SergeyBiryukov3 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.