Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 7 years ago

#37186 closed defect (bug) (fixed)

Media library shows post titles for posts the user can't read

Reported by: helen's profile helen Owned by: helen's profile helen
Milestone: 4.6 Priority: normal
Severity: normal Version:
Component: Media Keywords: has-patch
Focuses: administration Cc:


If a user cannot read a post, the title of that post should not show up in the media library at all, not just unlinked.

The issue of whether attachments are private in any sort of meaningful way is another thing entirely. :) :(

Related: #26807

Attachments (2)

37186.diff (3.0 KB) - added by helen 8 years ago.
Screen Shot 2016-06-26 at 4.27.28 PM.png (245.7 KB) - added by helen 8 years ago.

Download all attachments as: .zip

Change History (10)

8 years ago

#1 @helen
8 years ago

37186.diff shows (Private post) in place of the post title, to differentiate from (Unattached) and reduce confusion. Not sure if this is truly ideal, but I found using something like an mdash was confusing to me about why something was unattached or not. In the grid view, since we don't show the unattached message, "uploaded to" is just hidden entirely. The logic around data.uploadedToTitle remains in the template, as someone could filter that in using wp_prepare_attachment_for_js`.

#2 @karmatosed
8 years ago

I think this solution works for now. +1 to merge from me.

#3 @helen
8 years ago

  • Owner set to helen
  • Resolution set to fixed
  • Status changed from new to closed

In 37941:

Media: Only show parent post titles when the user can read said post.

fixes #37186.

#4 @littler.chicken
8 years ago

I think this change needs to check if a $parent_type (line 478 in class-wp-media-list-table.php) returns a null value; eg if a post type is no longer registered (not usual, but it happens). Currently, if a post type is not registered and I visit the Media Library, or just use the Media Uploader, I get a notice along the lines of:

PHP Notice:  map_meta_cap was called <strong>incorrectly</strong>. The post type {no longer registered CPT} is not registered, so it may not be reliable to check the capability "read_post" against a post of that type.

Even if a post type is no longer registered, $parent = get_post( $post->post_parent ); is returned as an object (line 471). Line 478, however, returns null for the parent post type:

$parent_type = get_post_type_object( $parent->post_type );

which then throws the notice for the elseif when WP checks if the current user can read the post of this post type.

My guess is then that this function needs to add in a check for a null value of the parent post type, and deal with it accordingly, but I don't know how you would want that to show in the list. It does currently show the title of the no longer registered post type's post, which seems reasonable enough, and it's not linked, also reasonable, but I think it would be good to get rid of this notice. Changing the elseif conditional (line 484) to:

elseif ( null === $parent_type || current_user_can( 'read_post', $post->post_parent ) )

leaves the title intact, unlinked, without causing the notices, although I suppose it leaves the title visible for users without read privileges, so probably needs a little more something. In the wp-includes/media.php file, changing the conditional in line 3069 to:

if ( null !== $parent_type && current_user_can( 'read_post', $attachment->post_parent ) )

seems to address the issue for the media uploader, and I don't know that the parent title is displayed there, so that may be enough.

#5 @SergeyBiryukov
8 years ago

In 37952:

Media: Avoid PHP notices when trying to show a parent post title of an orphaned post type.

Props littler.chicken.
See #37186.

This ticket was mentioned in Slack in #core by helen. View the logs.

8 years ago

This ticket was mentioned in Slack in #core by kadamwhite. View the logs.

7 years ago

This ticket was mentioned in Slack in #core-restapi by joemcgill. View the logs.

7 years ago

Note: See TracTickets for help on using tickets.