Bug report: media permission issue | WordPress.org

Resolved antonhg
(@antonhg)

7 months ago
Unauthorized users can still see blocked medias

Test environment: A freshly installed wordpress environment with no other plugins installed.

Steps to replicate:
[1] In PP Permission settings, make sure nobody can see other people’s medias:

1.1 Check Core, Filter Types, Media.

1.2 Uncheck Media Library, Other users’ unattached uploads listed by default

1.3 Uncheck Media Library, List other users’ uploads if attached to a readable post

1.4 Uncheck Media Library, List other users’ uploads if attached to an editable post

1.5 Uncheck Media Library, Allow editing other users’ uploads if attached to an editable post

1.6 Check Prevent editing uploads if attached to a non-editable post

[2] Create an user with author role

[3] Upload any media as admin. The execution order of step 2 and 3 are interchangeable.

[4] Optionally check to ensure that the author user doesnt see the media uploaded by admin

[5] As the author user, create a post. Add a link to the post. Type the name of the media uploaded by the admin. Within a few keys strokes, the media is hinted, the author can add this media to the post and use the link to see the media.

Ideally, blocked media shouldnt show up in hints and accessing links to blocked medias should return 404.
- This topic was modified 7 months ago by antonhg.

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Steve Burge
(@stevejburge)

7 months ago

Hi @antonhg. Thanks for using PublishPress.

With the hints, are you talking about the block editor and the feature shown in this image? https://imgur.com/a/oNJ0LRJ

When it comes to 404 errors for direct access to the media files, that is possible with the Pro version of Permissions: https://publishpress.com/knowledge-base/regulate-file-url-access/. In the Free version, the plugin will hide those media files inside WordPress, but not also provide 404 protection.

Thread Starter antonhg
(@antonhg)

7 months ago

With the hints, are you talking about the block editor and the feature shown in this image? https://imgur.com/a/oNJ0LRJ

Yes. Sorry for not being clear initially.

Plugin Support Riza Prihananto
(@rizaprihananto)

7 months ago

Hi @antonhg ,

So, as Steve mentioned, you will be able to restrict users from seeing the media via link on the post if you use the pro version.

Plugin Author Steve Burge
(@stevejburge)

7 months ago

@antonhg @rizaprihananto Not with the link editor. That is a loophole that we’ll need to fix.

Thread Starter antonhg
(@antonhg)

6 months, 3 weeks ago

The peeking link issue was fixed in the latest update. Thank you, that was swift.

Plugin Author Steve Burge
(@stevejburge)

6 months, 3 weeks ago

Great, thanks for letting us know, @antonhg

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Bug report: media permission issue’ is closed to new replies.

6 replies
3 participants
Last reply from: Steve Burge
Last activity: 6 months, 3 weeks ago
Status: resolved