WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 5 months ago

#32654 assigned defect (bug)

Denying upload_files cap makes Customizer and Media modal act oddly

Reported by: Otto42 Owned by: wonderboymusic
Milestone: Priority: normal
Severity: normal Version: 4.3
Component: Media Keywords: has-patch
Focuses: Cc:
PR Number:

Description

This is an unusual one, so labeling it as an enhancement rather than a bug. Somebody more familiar with the Customizer classes and Media modal might know the right way to handle this properly.

If you disable the upload_files capability, with the intent of not allowing file uploads by anybody (duh), then the customizer acts very odd in the assorted image-related controls.

Example code:

add_filter('user_has_cap', 'no_file_uploads');
function no_file_uploads( $caps ) {
	$caps['upload_files'] = false;
	return $caps;
}

The "Header Image" section still has an "Add New Image" button, which gives you the Media Library popup, with a spinner that never stops spinning. Also, the Upload Files tab still exist.

The "Background Image" section has a Select Image button, with the same broken Media Library popup as the other one.

Expected behavior: Media chooser that works, no Upload Files tab.

This may be an issue both with the Customizer showing incorrect buttons, or which more properly belongs to the Media modal in that it should still be possible to select an image even if you cannot upload one.

Alternatively, disabling upload_files in this way may be the wrong way to do it, although it is the most obvious approach.

Attachments (1)

32654.diff (3.4 KB) - added by wonderboymusic 4 years ago.

Download all attachments as: .zip

Change History (6)

#1 @wonderboymusic
4 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 4.3
  • Type changed from enhancement to defect (bug)

The query for attachments requires the cap, so I view the endless spinner as a bug. Incoming patch will hide buttons when the user doesn't have the cap. The second portion, making the modal readable, will be tricky.

@wonderboymusic
4 years ago

#2 @wonderboymusic
4 years ago

In 32913:

The query-attachments AJAX action immediately errors out if the user doesn't have the upload_files cap. As such, the Customizer shouldn't show buttons that launch the media modal when the user doesn't have the proper permissions to query attachments.

See #32654.

#3 @wonderboymusic
4 years ago

  • Owner set to wonderboymusic
  • Status changed from new to assigned

#4 @wonderboymusic
4 years ago

  • Milestone changed from 4.3 to Future Release

This is going to require some surgery

Note: See TracTickets for help on using tickets.