WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 5 years ago

#8234 closed enhancement (duplicate)

Users with upload_files capability should be able to edit and delete uploaded files without having the edit_post/delete_post capability

Reported by: olethomas Owned by:
Milestone: Priority: low
Severity: minor Version: 2.7
Component: Upload Keywords:
Focuses: Cc:

Description

Users with upload_files capability are able to upload files but can't edit/delete his/her own uploaded files without having the edit_post/delete_post capability. Users capable to upload files should also be capable to edit/delete their own uploaded files.

Change History (10)

#1 follow-up: @mrmist
11 years ago

I believe this behaviour was introduced in [9686] to fix an issue where users could delete media they shouldn't be able to (I.E. belonging to others).

I wouldn't want that reverted completely.

Of course if the checks can be made more specific, then that's great. Though you'd have to watch out because if you are talking about deleting / editing media that's attached to a post then effectively you are editing a post and it should be checking for edit post ability.

#2 @azaozz
11 years ago

  • Milestone changed from 2.7 to 2.8
  • Type changed from defect to enhancement

This can be achieved by using a plugin. Currently the user capabilities system is not as granular. It may be included in the future, but not in 2.7 which is at beta 3 already.

#3 in reply to: ↑ 1 @olethomas
11 years ago

Replying to mrmist:

I believe this behaviour was introduced in [9686] to fix an issue where users could delete media they shouldn't be able to (I.E. belonging to others).

I wouldn't want that reverted completely.

Of course if the checks can be made more specific, then that's great. Though you'd have to watch out because if you are talking about deleting / editing media that's attached to a post then effectively you are editing a post and it should be checking for edit post ability.

When using Wordpress as a CMS some users only have the edit_pages and upload_files capability and not edit_post. These users can upload files and edit them via the upload utility in the "Add new page"-screen but are restricted from editing their own files via the Media-page. A check for both edit_pages and edit_post could solve the problem. Don't know if that would cause other problems.

#4 @mrmist
11 years ago

I guess it depends on a few factors -

If the media is not attached to anything, a user should be able to edit/delete their own media without restriction.

If the media is attached to something, the user should be able to edit/delete their own media if they would normally be able to edit the thing it's attached to.

At editor level or above, the restrictions need not apply.

I suspect the reason that it currently isn't coded to that degree is because of what azaozz mentioned - that level of granularity is not within WordPress core.

#5 @FFEMTcJ
10 years ago

  • Milestone changed from 2.8 to Future Release

#6 @Denis-de-Bernardy
10 years ago

  • Keywords needs-patch added
  • Priority changed from normal to low
  • Severity changed from normal to minor

#7 @Denis-de-Bernardy
10 years ago

  • Keywords 2nd-opinion added
  • Milestone changed from Future Release to 2.9

#8 @Denis-de-Bernardy
10 years ago

  • Keywords 2nd-opinion removed

#9 @ryan
10 years ago

  • Milestone changed from 2.9 to Future Release

#10 @SergeyBiryukov
5 years ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #19834.

Note: See TracTickets for help on using tickets.