Error " You dont have permission to attach files to this post" on Wordpress

Question

When non-admin users upload media, They get the following error:

Things i have checked:

Wp-content/uploads and all sub folders have permission 755.
Core capabilities and custom for a test user ( who gets this error) is set for yes for media_upload Refer to the image below:
Deactivated all plugins, issue remains same.
To my knowledge, users were able to upload images earlier last week. No change has been done in the code since then.

If anyone has had a similar issue, I'm open for suggestions. Thanks.

UPDATE From wp-admin/includes/ ajax-action.php, I removed the following part:

if ( isset( $_REQUEST['post_id'] ) ) {
    $post_id = $_REQUEST['post_id'];
    if ( ! current_user_can( 'edit_post', $post_id ) ) {
        echo wp_json_encode( array(
            'success' => false,
            'data'    => array(
                'message'  => __( "You don't have permission to attach files     to this post." ),
                'filename' => $_FILES['async-upload']['name'],
            )
        ) );

        wp_die();
    }
    }

I realize that this is just sort of a checkpoint to see user capabilities but I dont fully understand why removing this part helped solve the issue. Now test user can upload media successfully ( media upload was successful earlier too) and there is no permission error and "UPLOAD MEDIA" button at the bottom is not greyed any more so I can upload as normal. Thanks

I am having this same issue. I am not able to upload files and getting this same error I removed above code from ajax-actions.php and now it's working fine. but not sure if this error is in WordPress or in edit role plugin. — Hitesh Ranaut, Aug 16 '17 at 12:02

score 3 · Answer 1 · answered Dec 31 '17 at 20:00

Removing core WP code isn't recommended at all!

The cause of this kind of error is often a PHP upload limit in your hosting environment. See here an example of how to change your PHP values : Change the maximum upload file size

But looking at your capabilities screenshot for posts Post Type, it seems your Role doesn't even enable to edit a post. I would first at least enable this Capability : edit_posts. And maybe some other posts-related Capabitilies.

For reference, here is a useful table to help understand Wordress Roles and Capabilities : Capability vs. Role Table

score 2 · Answer 2 · answered Sep 25 '18 at 07:28

Just Update the wp-admin/includes/ ajax-action.php file, instead of 'edit_post' it should be 'edit_posts'

if ( isset( $_REQUEST['post_id'] ) ) {
$post_id = $_REQUEST['post_id'];
if ( ! current_user_can( 'edit_posts', $post_id ) ) {
    echo wp_json_encode( array(
        'success' => false,
        'data'    => array(
            'message'  => __( "You don't have permission to attach files     to this post." ),
            'filename' => $_FILES['async-upload']['name'],
        )
    ) );

    wp_die();
}
}

Rich Bianco · Answer 3 · 2015-08-07T20:14:36.243

0

There are multiple solutions depending on the root cause.

One solution that seems to work if your roles get corrupted is install a plugin that edits WordPress roles. I don't know the exact role you need but I think it is one of these. I just noticed that you checked these so you might be beyond this, did you use a role editing plugin?

I would guess a user would need edit_post because uploading an image and attaching to a post IS editing the post.

unfiltered_upload 
upload_files

Another solution is by adding some PHP code if you are allowed or have access to it. Add this to a PHP file, for example the header.php (temporarily) and run it.

$user_role = 'author'; // Change user role here
$contributor = get_role($user_role);
$contributor->add_cap('upload_files');

This will give the role of the author the ability to upload files.

Third solution that sometimes solves it is to try adding the full file path for the uploads directory in Settings -> Media.

edited Aug 07 '15 at 20:14

answered Aug 07 '15 at 20:02

Rich Bianco

4,141
3
29
48

Gave permission for "edit_post" to the test user. No changes. Trying the next two. I cant see anything in the debug file, does this sort of error give any info in debug.txt? Thanks @displacedguy – shrbisht Aug 07 '15 at 20:21
About the second suggestion, I think i did it wrong. Here is what i added: – shrbisht Aug 07 '15 at 20:23
$user_role = 'freelancer'; // Change user role here $contributor = get_role($user_role); $contributor->add_cap('upload_files'); This line of code was displayed at the top of the home page. I am sure I didnt add the code currectly – shrbisht Aug 07 '15 at 20:23
About the third solution, I didnt see an option to add full file path. I have attached a screenshot of what i see. Thanks for your suggestions. – shrbisht Aug 07 '15 at 20:30
I think they took the option off that screen. It is stored with all that info in the wp_options table. There is a column named upload_url_path but I'm running out of ideas - will try to think of more... – Rich Bianco Aug 07 '15 at 21:03
I saw that someone had this problem they had to set the owner of the folder for images instead of setting permissions. It doesn't sound right but use something like : sudo chown www-data:www-data /folderName I think this will solve it another format: chown apache:apache -R wp-content/uploads – Rich Bianco Aug 07 '15 at 21:06
Do you use years, months in your images upload, sometimes wordpress can't create the new folder and if you create it then the image will upload. The chown should work because the parent directory needs be writable by the "server" to create the new folders. So when we hit August maybe thats when it broke, first user to upload in Aug?? – Rich Bianco Aug 07 '15 at 21:08
Thanks for the inputs. answering to your last comment, yes it is set to a month year format and folder for august is already created with just 1 upload ( turned into 3 diff sizes) on it. I dont know how and why but removing the following part from the code helped. I dont understand php that well but maybe you would be kind enough to tell me if I did the wrong workaround here. Updating the question to show what part I removed. Thanks again – shrbisht Aug 08 '15 at 21:23

score 0 · Answer 4 · answered Aug 10 '15 at 14:53

0

As mentioned in the question update, I removed the set of code from my file and it worked for me. I am not sure how it worked and I wont recommend this solution to anyone but if you are in a bad situation, I guess you could give it a try. I am still looking for an explanation as to what changed when i removed the code. If you are a wordpress or php expert and you understand what I did, please let me know.

answered Aug 10 '15 at 14:53

shrbisht

676
3
9
23

3

What you did will obviously work, but it subverted the built in WordPress security. Essentially WordPress no longer makes sure a user has permission to "edit post #" and everyone will be able to perform this step regardless of their security setting. The consequences depend on the context of where that code was removed from, if it was in a block of code checking to see if they can upload an image, than probably not a huge risk (and it looks this way from error message text), but if it subverted the entire checking to see if user can edit a post, than probably not a good work-around at all. – Rich Bianco Aug 10 '15 at 16:53

Error " You dont have permission to attach files to this post" on Wordpress

4 Answers4

Linked