WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 years ago

#38130 closed defect (bug) (invalid)

Multisite bug with current_user_can() and subscriber

Reported by: JazZ7 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords: reporter-feedback
Focuses: multisite Cc:

Description

On multisite, Subscribers have upload_files permission but in wp-admin/includes/ajax-actions.php wp_ajax_upload_attachment() does not work because current_user_can() return false on line 2018 :

<?php
    if ( ! current_user_can( 'upload_files' ) ) {
        echo wp_json_encode( array(
            'success' => false,
            'data'    => array(
                'message'  => __( 'Sorry, you are not allowed to upload files.' ),
                'filename' => $_FILES['async-upload']['name'],
            )
        ) );
 
        wp_die();
    }

Thanks for your help.

Change History (5)

#1 @SergeyBiryukov
3 years ago

  • Component changed from General to Users

#2 @johnjamesjacoby
3 years ago

  • Keywords reporter-feedback added

On multisite, Subscribers have upload_files permission

I don't think this is accurate. Can you point to where you're seeing this capability applied or mapped?

schema.php doesn't add it to user roles, and I don't see anything in map_meta_cap().

#3 @SergeyBiryukov
3 years ago

And if you're adding the capability with your own code, could you share all the relevant code?

#4 @JazZ7
3 years ago

Thanks for your support.

Here is the code that handles the subscribers upload_files permission :
(doing this in the template for demonstration)

/wp-content/themes/my-theme/profile.php :

<?php
/*
Template Name: Page Profile
*/

$sub_role = get_role('subscriber');
$sub_role->add_cap('upload_files');
var_export($sub_role);

echo "<br /><br />";

$user_ID = get_current_user_id();
$user = new WP_user($user_ID);
var_export($user->caps);

echo "<br /><br />";

var_export(current_user_can('upload_files'));

die();

The result is :

WP_Role::__set_state(array( 'name' => 'subscriber', 'capabilities' => array ( 'read' => true, 'level_0' => true, 'upload_files' => true, ), ))

array ( 'subscriber' => true, )

true

But the ajax request returns :

{'success': false, 'data':{'message': 'Sorry, you are not allowed to upload files.', 'filename': 'filename.jpg'}}
Last edited 3 years ago by JazZ7 (previous) (diff)

#5 @jeremyfelt
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.6.1 deleted

Thanks for opening a ticket. This appears to be an issue with custom code in the theme rather than in WordPress core. Please feel free to comment further or reopen the ticket if this can be reproduced without plugins or a non-default theme installed.

Note: See TracTickets for help on using tickets.