Opened 11 years ago
Closed 4 years ago
#28371 closed enhancement (duplicate)
Use media post type object capabilities to allow user to see actions
Reported by: | lpointet | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.0 |
Component: | Role/Capability | Keywords: | needs-patch |
Focuses: | administration | Cc: |
Description (last modified by )
As media is a post type, we are storing a post type object and some capabilities.
For example, create_posts
capability is mapped to upload_files
one.
When the admin interface is supposed to show a button or check the user capability to add a new post (with the 'post' or 'page' post type, this time), we retrieve the corresponding post type object to check against capabilities registered here.
This is not the case when doing it for media post type.
Indeed, here is how wp-admin/post-new.php is handling the cap check: https://core.trac.wordpress.org/browser/trunk/src/wp-admin/post-new.php#L42
Now, here is how wp-admin/media-new.php is doing: https://core.trac.wordpress.org/browser/trunk/src/wp-admin/media-new.php#L15
I think we should remove these direct upload_files
checks and do it the other way (with post type object) instead. This implies doing it at least at these times:
- displaying an UI action (button, link)
- doing a cap check
The consequence is that a plugin/theme developer cannot just rely on the post type object to update the needed capabilities. They must also hook into map_meta_cap
in order to do something when the hard-coded capabilities are checked.
I've seen some tickets that seem to address a part of the subject, but not really this particular thing:
I'm closing this as a duplicate of #19834 which has some further discussion, and has the same aim. Thanks for the report @lpointet and sorry that years have passed without this being discussed or fixed.