[wp-trac] [WordPress Trac] #31236: wp_ajax_upload_attachment does not properly handle situation when post_id is set
WordPress Trac
noreply at wordpress.org
Wed Feb 4 23:13:49 UTC 2015
#31236: wp_ajax_upload_attachment does not properly handle situation when post_id
is set
--------------------------+-----------------------------
Reporter: johncacpro | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Media | Version: 4.1
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
In the wp_ajax_upload_attachment function of
wp_admin/includes/ajax_actions.php, it appears that the wrong capability
is checked by the current_user_can function if post_id is set in the
$_REQUEST object. At line 1845, this code exists:
if ( ! current_user_can( 'edit_post', $post_id ) )
As far as I can tell, edit_post is not a valid capability. I was building
a custom post upload for my site that allowed certain users to add media.
I had given them the edit_posts capability and they were still receiving
the error message "You don't have permission to attach files to this
post." Once I changed this line of code in wp-admin to:
if ( ! current_user_can( 'edit_posts', $post_id ) )
it worked as expected.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31236>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list