You want to restrict uploaded files, folders, collections and galleries in your media library to specific users or user groups? We explain why this feature is not implemented in Real Media Library (and many/all alternatives).
Permissions management for the media library
WordPress comes with a permission management that is aware of users and roles like administrators (groups). Each user belongs to one (or with plugins to several) roles. The roles have permissions (called capabilities in the WordPress context) that can be true or false. This means that the permission management is one-dimensional and much simpler and more limited compared to, for example, the UNIX file system.
In the list of capabilities, you can find the following that belong to the media library:
- upload_files
This is not a mistake that you find only one capability in the list. WordPress can only allow and disallow roles to upload files. A permission management e.g. to restrict the visibility of the whole media library or even individual uploads does not exist in WordPress.
Why it is a bad idea to invent new capabilities
In WordPress, Real Media Library could implement a full rights management to at least restrict reading and writing to the whole media library, individual folders, collections and galleries as well as individual files. This would be the feature that is desired by many Real Media Library users.
However, this is a bad idea for two reasons:
- Uploads to the WordPress media library are simply located in the
wp-content/uploads/folder without any protection against third-party access. So, we would have to establish a security mechanism here, so that file names can’t be easily guessed in the end. This would lead to serious compatibility problems with other plugins. - Other plugins and the WordPress core would not know the capabilities we invented. Thus defined restrictions would not be taken into account. For example, if your page builder uses its own mechanism to select images or finally displays them based on the continuous upload ID, the uploads would be completely unprotected despite a restriction of rights in Real Media Library.
It is unrealistic to think that the permission extensions we invented would be accepted by all plugins over time. This is also the problem why WordPress Core will not implement such a permission management extension for the time being. To force all plugins to accept an extended permission system, new technical interfaces would have to be created. At the same time, old technical interfaces would have to be disabled. This is called breaking change and is in an ecosystem like WordPress wherever possible to avoid because there is insignificant collateral damage to the entire ecosystem (e.g. that not updated plugins can no longer be used in the new WordPress version).