WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#25395 closed defect (bug) (invalid)

Potential bug of uploading images using media-upload

Reported by: alucard001 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6.1
Component: Upload Keywords: close
Focuses: Cc:

Description (last modified by SergeyBiryukov)

File: wp-admin/media-upload.php
Version: 3.6.1

Line: 37:

if ( ! empty( $_REQUEST['post_id'] ) && ! current_user_can( 'edit_post' , $_REQUEST['post_id'] ) )

In wordpress documentaion:http://codex.wordpress.org/Roles_and_Capabilities#edit_posts

The name of this capabilities should be called "edit_posts", but in this file the name of the right is called "edit_post" (without 's').

The result is that when an non-admin user wants to upload an image in a theme that is using "option-tree", it will result in a "Cheating, ugh?" message.

I am not sure if there are other places where the same thing happened, therefore I suggest to do a simple full-code scan to verify that.

Thank you.

Change History (6)

#1 follow-up: @markoheijnen
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

In this case the capability name is correct. In this case it checks if the user can attach the image to a post. So users aren't allowed to upload images unless they have the capability 'upload_files'. When they want to attach the image to a post it needs 'edit_posts' or 'edit_others_posts' if it isn't their post

#2 @markoheijnen
4 years ago

  • Component changed from Administration to Upload
  • Keywords needs-patch removed

#3 @SergeyBiryukov
4 years ago

  • Description modified (diff)

Related: #19834, #22415

#4 in reply to: ↑ 1 @alucard001
4 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Replying to markoheijnen:

In this case the capability name is correct. In this case it checks if the user can attach the image to a post. So users aren't allowed to upload images unless they have the capability 'upload_files'. When they want to attach the image to a post it needs 'edit_posts' or 'edit_others_posts' if it isn't their post

Thanks for your reply, Mark.

Your reason about post and attachment is understood, what I am going after is the name: there is no such right as "edit_post", only "edit_posts".

http://codex.wordpress.org/Roles_and_Capabilities#edit_posts

And this problem still exists in 3.8.1, line 37

Thank you.

#5 @dd32
4 years ago

  • Keywords close added

Your reason about post and attachment is understood, what I am going after is the name: there is no such right as "edit_post", only "edit_posts".

'edit_post' is a meta capability which is mapped to edit_posts and/or edit_private_posts and/or edit_others_posts here:
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/capabilities.php#L1104

The actual caps it maps to are found here:
https://core.trac.wordpress.org/browser/trunk/src/wp-includes/post.php#L1396

It's hard to explain how the latter is setup, to truly understand it reading the Documentation in the file around that area, and adding some debugging cases in is really needed.

basically what I'm saying, is that 'edit_post' is a special "Meta" capability which is mapped onto another "real" capability during the cap checks, checking for edit_post with a context of $post_id will check for 'edit_posts' for an administrator, and for another user would check 'edit_others_posts'.

#6 @alucard001
4 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

Understood, thanks. I miss the "mapping" part.

Note: See TracTickets for help on using tickets.