Opened 10 years ago
Closed 10 years ago
#25395 closed defect (bug) (invalid)
Potential bug of uploading images using media-upload
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.6.1 |
| Component: | Upload | Keywords: | close |
| Focuses: | Cc: |
Description (last modified by )
File: wp-admin/media-upload.php
Version: 3.6.1
Line: 37:
if ( ! empty( $_REQUEST['post_id'] ) && ! current_user_can( 'edit_post' , $_REQUEST['post_id'] ) )
In wordpress documentaion:http://codex.wordpress.org/Roles_and_Capabilities#edit_posts
The name of this capabilities should be called "edit_posts", but in this file the name of the right is called "edit_post" (without 's').
The result is that when an non-admin user wants to upload an image in a theme that is using "option-tree", it will result in a "Cheating, ugh?" message.
I am not sure if there are other places where the same thing happened, therefore I suggest to do a simple full-code scan to verify that.
Thank you.
Change History (6)
#1
follow-up:
↓ 4
@
10 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
#4
in reply to:
↑ 1
@
10 years ago
- Resolution invalid deleted
- Status changed from closed to reopened
Replying to markoheijnen:
In this case the capability name is correct. In this case it checks if the user can attach the image to a post. So users aren't allowed to upload images unless they have the capability 'upload_files'. When they want to attach the image to a post it needs 'edit_posts' or 'edit_others_posts' if it isn't their post
Thanks for your reply, Mark.
Your reason about post and attachment is understood, what I am going after is the name: there is no such right as "edit_post", only "edit_posts".
http://codex.wordpress.org/Roles_and_Capabilities#edit_posts
And this problem still exists in 3.8.1, line 37
Thank you.
#5
@
10 years ago
- Keywords close added
Your reason about post and attachment is understood, what I am going after is the name: there is no such right as "edit_post", only "edit_posts".
'edit_post' is a meta capability which is mapped to edit_posts and/or edit_private_posts and/or edit_others_posts here:
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/capabilities.php#L1104
The actual caps it maps to are found here:
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/post.php#L1396
It's hard to explain how the latter is setup, to truly understand it reading the Documentation in the file around that area, and adding some debugging cases in is really needed.
basically what I'm saying, is that 'edit_post' is a special "Meta" capability which is mapped onto another "real" capability during the cap checks, checking for edit_post with a context of $post_id will check for 'edit_posts' for an administrator, and for another user would check 'edit_others_posts'.
In this case the capability name is correct. In this case it checks if the user can attach the image to a post. So users aren't allowed to upload images unless they have the capability 'upload_files'. When they want to attach the image to a post it needs 'edit_posts' or 'edit_others_posts' if it isn't their post