Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#29596 closed defect (bug) (fixed)

Media Grid View not respecting individual edit capabilities

Reported by: skaeser's profile skaeser Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 4.0.1 Priority: normal
Severity: normal Version: 4.0
Component: Media Keywords: has-patch commit fixed-major
Focuses: Cc:

Description

The attachment detail modal used in the Media Grid View does not check whether the current user is allowed to edit the displayed attachment and does always render the "Edit more details"-link and the "Edit Image"-button. This results in a "You are not allowed to edit this item." view when following "Edit more details" and a plain printed "-1" in the modal dialog when clicking "Edit Image", probably due to the above mentioned check being made on the server when requesting the image editor.

Steps to reproduce this issue:

Register a custom filter for "user_has_cap" and set the "edit_posts" capability for a specific media item to "false":

function test_individual_media_edit_capability($allcaps, $caps, $args) {
  if ( count( $args ) > 2 && in_array( 'edit_posts', $caps ) ) {
    $post = get_post( $args[2] );
    if ( $post->ID == [EXISTING ATTACHMENT ID] && $post->post_type == 'attachment' )
      $allcaps['edit_posts'] = false;
  }
  return $allcaps;
}

add_filter("user_has_cap", test_individual_media_edit_capability, 100, 3);

I am not familiar enough with the exact logic behind the Backbone MVC but managed to fix the issue using the provided patch of media-template.php.

Attachments (1)

media-template.php.patch (1018 bytes) - added by skaeser 9 years ago.
Patch for media-template.php

Download all attachments as: .zip

Change History (5)

@skaeser
9 years ago

Patch for media-template.php

#1 @SergeyBiryukov
9 years ago

  • Milestone changed from Awaiting Review to 4.0.1

#2 @SergeyBiryukov
9 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 29723:

Don't display Edit links for attachments user cannot edit.

props skaeser.
fixes #29596 for trunk.

#3 @SergeyBiryukov
9 years ago

  • Keywords has-patch commit fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for 4.0.1 consideration.

#4 @nacin
9 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 30408:

Don't display Edit links for attachments user cannot edit.

Merges [29723] to the 4.0 branch.

props skaeser.
fixes #29596.

Note: See TracTickets for help on using tickets.