Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#29596 closed defect (bug) (fixed)

Media Grid View not respecting individual edit capabilities

Reported by: skaeser's profile skaeser Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 4.0.1 Priority: normal
Severity: normal Version: 4.0
Component: Media Keywords: has-patch commit fixed-major
Focuses: Cc:

Description

The attachment detail modal used in the Media Grid View does not check whether the current user is allowed to edit the displayed attachment and does always render the "Edit more details"-link and the "Edit Image"-button. This results in a "You are not allowed to edit this item." view when following "Edit more details" and a plain printed "-1" in the modal dialog when clicking "Edit Image", probably due to the above mentioned check being made on the server when requesting the image editor.

Steps to reproduce this issue:

Register a custom filter for "user_has_cap" and set the "edit_posts" capability for a specific media item to "false":

function test_individual_media_edit_capability($allcaps, $caps, $args) {
  if ( count( $args ) > 2 && in_array( 'edit_posts', $caps ) ) {
    $post = get_post( $args[2] );
    if ( $post->ID == [EXISTING ATTACHMENT ID] && $post->post_type == 'attachment' )
      $allcaps['edit_posts'] = false;
  }
  return $allcaps;
}

add_filter("user_has_cap", test_individual_media_edit_capability, 100, 3);

I am not familiar enough with the exact logic behind the Backbone MVC but managed to fix the issue using the provided patch of media-template.php.

Attachments (1)

media-template.php.patch (1018 bytes) - added by skaeser 10 years ago.
Patch for media-template.php

Download all attachments as: .zip

Change History (5)

@skaeser
10 years ago

Patch for media-template.php

#1 @SergeyBiryukov
10 years ago

  • Milestone changed from Awaiting Review to 4.0.1

#2 @SergeyBiryukov
10 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 29723:

Don't display Edit links for attachments user cannot edit.

props skaeser.
fixes #29596 for trunk.

#3 @SergeyBiryukov
10 years ago

  • Keywords has-patch commit fixed-major added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening for 4.0.1 consideration.

#4 @nacin
10 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 30408:

Don't display Edit links for attachments user cannot edit.

Merges [29723] to the 4.0 branch.

props skaeser.
fixes #29596.

Note: See TracTickets for help on using tickets.