[wp-trac] [WordPress Trac] #42630: Media Library file edit permissions nonsensical.

WordPress Trac noreply at wordpress.org
Sun Nov 19 21:01:09 UTC 2017

#42630: Media Library file edit permissions nonsensical.
 Reporter:  fyiuramron      |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Media           |    Version:  trunk
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
 current implementation in wp-admin/includes/class-wp-media-list-table.php
 's column_cb( $post ) shows that the capability required to edit a media
 file is "edit_post"; while this obviously allows us to restrict a user to
 editing his own uploads, since it is *not* required to have this cap to
 upload files, it makes the following nonsensical scenario possible:

 1. user has upload_files cap
 2. uploads a file
 3. can neither edit or remove it *unless* he has a supposedly unrelated
 edit_post cap enabled (POLA violation)

 E.g., I want to limit a user to "uploader" role, without allowing him to
 edit posts. It's currently impossible.

 A possible solution would be to e.g. repurpose "edit_file" cap for this
 exact purpose, or create a new similar cap.

 Alternatively, "edit_post" cap check can be replaced/supplanted with
 "upload_files" cap check combined with media file authorship check (i.e.
 can edit always if author and has "upload_files").

Ticket URL: <https://core.trac.wordpress.org/ticket/42630>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list