Make WordPress Core

Opened 10 years ago

Closed 4 years ago

#28371 closed enhancement (duplicate)

Use media post type object capabilities to allow user to see actions

Reported by: lpointet's profile lpointet Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.0
Component: Role/Capability Keywords: needs-patch
Focuses: administration Cc:

Description (last modified by SergeyBiryukov)

As media is a post type, we are storing a post type object and some capabilities.
For example, create_posts capability is mapped to upload_files one.

When the admin interface is supposed to show a button or check the user capability to add a new post (with the 'post' or 'page' post type, this time), we retrieve the corresponding post type object to check against capabilities registered here.

This is not the case when doing it for media post type.

Indeed, here is how wp-admin/post-new.php is handling the cap check:
Now, here is how wp-admin/media-new.php is doing:

I think we should remove these direct upload_files checks and do it the other way (with post type object) instead. This implies doing it at least at these times:

  • displaying an UI action (button, link)
  • doing a cap check

The consequence is that a plugin/theme developer cannot just rely on the post type object to update the needed capabilities. They must also hook into map_meta_cap in order to do something when the hard-coded capabilities are checked.

I've seen some tickets that seem to address a part of the subject, but not really this particular thing:

Change History (3)

#1 @SergeyBiryukov
10 years ago

  • Description modified (diff)

#2 @chriscct7
9 years ago

  • Keywords needs-patch added

#3 @johnbillion
4 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

I'm closing this as a duplicate of #19834 which has some further discussion, and has the same aim. Thanks for the report @lpointet and sorry that years have passed without this being discussed or fixed.

Note: See TracTickets for help on using tickets.