Opened 9 years ago
Closed 9 years ago
#29596 closed defect (bug) (fixed)
Media Grid View not respecting individual edit capabilities
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 4.0.1 | Priority: | normal |
| Severity: | normal | Version: | 4.0 |
| Component: | Media | Keywords: | has-patch commit fixed-major |
| Focuses: | Cc: |
Description
The attachment detail modal used in the Media Grid View does not check whether the current user is allowed to edit the displayed attachment and does always render the "Edit more details"-link and the "Edit Image"-button. This results in a "You are not allowed to edit this item." view when following "Edit more details" and a plain printed "-1" in the modal dialog when clicking "Edit Image", probably due to the above mentioned check being made on the server when requesting the image editor.
Steps to reproduce this issue:
Register a custom filter for "user_has_cap" and set the "edit_posts" capability for a specific media item to "false":
function test_individual_media_edit_capability($allcaps, $caps, $args) {
if ( count( $args ) > 2 && in_array( 'edit_posts', $caps ) ) {
$post = get_post( $args[2] );
if ( $post->ID == [EXISTING ATTACHMENT ID] && $post->post_type == 'attachment' )
$allcaps['edit_posts'] = false;
}
return $allcaps;
}
add_filter("user_has_cap", test_individual_media_edit_capability, 100, 3);
I am not familiar enough with the exact logic behind the Backbone MVC but managed to fix the issue using the provided patch of media-template.php.
Patch for media-template.php