[wp-trac] [WordPress Trac] #42630: Media Library file edit permissions nonsensical.
WordPress Trac
noreply at wordpress.org
Sun Nov 19 21:01:09 UTC 2017
#42630: Media Library file edit permissions nonsensical.
----------------------------+-----------------------------
Reporter: fyiuramron | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Media | Version: trunk
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
current implementation in wp-admin/includes/class-wp-media-list-table.php
's column_cb( $post ) shows that the capability required to edit a media
file is "edit_post"; while this obviously allows us to restrict a user to
editing his own uploads, since it is *not* required to have this cap to
upload files, it makes the following nonsensical scenario possible:
1. user has upload_files cap
2. uploads a file
3. can neither edit or remove it *unless* he has a supposedly unrelated
edit_post cap enabled (POLA violation)
E.g., I want to limit a user to "uploader" role, without allowing him to
edit posts. It's currently impossible.
A possible solution would be to e.g. repurpose "edit_file" cap for this
exact purpose, or create a new similar cap.
Alternatively, "edit_post" cap check can be replaced/supplanted with
"upload_files" cap check combined with media file authorship check (i.e.
can edit always if author and has "upload_files").
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42630>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list