WordPress.org

Make WordPress Core

Opened 9 days ago

Last modified 9 days ago

#44581 new defect (bug)

users without 'edit_posts' capability never get informed that their uploads succeed

Reported by: pbiron Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Media Keywords: has-patch has-screenshots
Focuses: Cc:

Description

Steps to reproduce:

  1. create a user with upload_files capability but not edit_posts capability
  2. login as that user
  3. upload a media file
  4. notice that the status of the upload stays at Crunching...
  5. notice also that the filename/post_title eventually ends up blank

Expected behavior:

  1. user gets some sort of "Success" notification (analogous to the Edit link that users with edit_posts capability get)

I discovered this problem on a site with users whose role is basically Subscriber but with upload_files capability. The problem is that /wp-admin/async-upload.php contains:

<?php
if ( ! current_user_can( 'edit_post', $id ) )
        wp_die( __( 'Sorry, you are not allowed to edit this item.' ) );

My current workaround is to hook into user_has_cap and add edit_posts IFF edit_post is being checked from async-upload.php and its an attachment whose post_author is the current user. This workaround is not ideal (because I don't want these users to be able to edit the attachment), but at least they know the upload succeeded.

Attachments (4)

crunching.png (7.2 KB) - added by pbiron 9 days ago.
this is what users without 'edit_posts' capability see after their upload has succeeded
done-crunching.png (5.5 KB) - added by pbiron 9 days ago.
this is what users with 'edit_posts' capability see after their upload has succeeded
44581.diff (1.6 KB) - added by pbiron 9 days ago.
report "Success" for users without 'edit_post' capability
success.png (5.9 KB) - added by pbiron 9 days ago.
this is what users without 'edit_posts' capability see after their upload has succeeded after 44581.diff is applied

Download all attachments as: .zip

Change History (5)

@pbiron
9 days ago

this is what users without 'edit_posts' capability see after their upload has succeeded

@pbiron
9 days ago

this is what users with 'edit_posts' capability see after their upload has succeeded

@pbiron
9 days ago

report "Success" for users without 'edit_post' capability

@pbiron
9 days ago

this is what users without 'edit_posts' capability see after their upload has succeeded after 44581.diff is applied

#1 @pbiron
9 days ago

  • Keywords has-patch has-screenshots added
Note: See TracTickets for help on using tickets.