[wp-trac] [WordPress Trac] #29597: Media Grid View bulk deletion not respecting individual delete capabilities

WordPress Trac noreply at wordpress.org
Tue Sep 9 07:07:26 UTC 2014 

#29597: Media Grid View bulk deletion not respecting individual delete capabilities
--------------------------+-----------------------------
 Reporter:  skaeser       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Media         |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The bulk delete functionality of the Media Grid View does not check
 whether the deleted items where actually deleted or not, it simply assumes
 they where and removes them from the list. When using individual delete
 capabilities on media items this results in items being removed from the
 list while they have not actually been deleted.

 Steps to reproduce this issue:

 Register a custom filter for "user_has_cap" and set the "delete_posts" and
 "delete_post" capability for a specific attachment to "false":

 {{{
 function test_individual_media_delete_capability($allcaps, $caps, $args) {
   if ( count( $args ) > 2 && ( in_array( 'delete_post', $caps ) ||
 in_array( 'delete_posts', $caps ) ) ) {
     $post = get_post( $args[2] );
     if ( $post->ID == [EXISTING ATTACHMENT ID] && $post->post_type ==
 'attachment' ) {
       $allcaps['delete_post'] = false;
       $allcaps['delete_posts'] = false;
     }
   }
   return $allcaps;
 }

 add_filter("user_has_cap", test_individual_media_delete_capability, 100,
 3);
 }}}

 Now go to the Media Library (Grid View) and click "Bulk Select".

 Select the attachment having the ID used in the function above and press
 "Delete Selected". The attachment gets removed from the list.

 Reload the page and the attachment is back in place.


 As the AJAX call to "admin-ajax.php" (action: delete-post) properly
 returns a "-1" if deletion of the post fails, the fix should only involve
 JavaScript. Unfortunately I am not familiar enough with the JavaScript
 architecture in place to create a proper fix.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29597>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list