Opened 7 years ago
Closed 7 years ago
#42630 closed defect (bug) (duplicate)
Media Library file edit permissions nonsensical.
Reported by: | fyiuramron | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.1 |
Component: | Media | Keywords: | |
Focuses: | administration | Cc: |
Description
current implementation in wp-admin/includes/class-wp-media-list-table.php 's column_cb( $post ) shows that the capability required to edit a media file is "edit_post"; while this obviously allows us to restrict a user to editing his own uploads, since it is *not* required to have this cap to upload files, it makes the following nonsensical scenario possible:
- user has upload_files cap
- uploads a file
- can neither edit or remove it *unless* he has a supposedly unrelated edit_post cap enabled (POLA violation)
E.g., I want to limit a user to "uploader" role, without allowing him to edit posts. It's currently impossible.
A possible solution would be to e.g. repurpose "edit_file" cap for this exact purpose, or create a new similar cap.
Alternatively, "edit_post" cap check can be replaced/supplanted with "upload_files" cap check combined with media file authorship check (i.e. can edit always if author and has "upload_files").
Thanks for the report, @fyiuramron! Welcome to WordPress Trac.
This is indeed a bug, and in fact immediately after uploading a file the user will see a
Crunching...
message which never finishes because the Ajax response contains an error stating that the user cannot edit the attachment that they've just uploaded.I'm going to close this as a duplicate of #19834 as that's where this was first reported. See also #41332. Feel free to star or add a comment on either of those tickets.