Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#42630 closed defect (bug) (duplicate)

Media Library file edit permissions nonsensical.

Reported by: fyiuramron Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.1
Component: Media Keywords:
Focuses: administration Cc:


current implementation in wp-admin/includes/class-wp-media-list-table.php 's column_cb( $post ) shows that the capability required to edit a media file is "edit_post"; while this obviously allows us to restrict a user to editing his own uploads, since it is *not* required to have this cap to upload files, it makes the following nonsensical scenario possible:

  1. user has upload_files cap
  2. uploads a file
  3. can neither edit or remove it *unless* he has a supposedly unrelated edit_post cap enabled (POLA violation)

E.g., I want to limit a user to "uploader" role, without allowing him to edit posts. It's currently impossible.

A possible solution would be to e.g. repurpose "edit_file" cap for this exact purpose, or create a new similar cap.

Alternatively, "edit_post" cap check can be replaced/supplanted with "upload_files" cap check combined with media file authorship check (i.e. can edit always if author and has "upload_files").

Change History (1)

#1 @johnbillion
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Thanks for the report, @fyiuramron! Welcome to WordPress Trac.

This is indeed a bug, and in fact immediately after uploading a file the user will see a Crunching... message which never finishes because the Ajax response contains an error stating that the user cannot edit the attachment that they've just uploaded.

I'm going to close this as a duplicate of #19834 as that's where this was first reported. See also #41332. Feel free to star or add a comment on either of those tickets.

Note: See TracTickets for help on using tickets.