Ticket #22711: 22711.2.diff
| File 22711.2.diff, 4.0 KB (added by , 13 years ago) |
|---|
-
wp-includes/js/media-models.js
233 233 234 234 // Overload the `update` request so properties can be saved. 235 235 } else if ( 'update' === method ) { 236 if ( ! this.get('nonces') )236 if ( ! this.get('nonces') || ! this.get('nonces').update ) 237 237 return $.Deferred().resolveWith( this ).promise(); 238 238 239 239 options = options || {}; … … 286 286 saveCompat: function( data, options ) { 287 287 var model = this; 288 288 289 if ( ! this.get('nonces') || ! this.get('nonces').update ) 290 return $.Deferred().resolveWith( this ).promise(); 291 289 292 return media.post( 'save-attachment-compat', _.defaults({ 290 293 id: this.id, 291 294 nonce: this.get('nonces').update, -
wp-includes/media.php
1334 1334 'icon' => wp_mime_type_icon( $attachment->ID ), 1335 1335 'dateFormatted' => mysql2date( get_option('date_format'), $attachment->post_date ), 1336 1336 'nonces' => array( 1337 'update' => wp_create_nonce( 'update-post_' . $attachment->ID ),1338 'delete' => wp_create_nonce( 'delete-post_' . $attachment->ID ),1337 'update' => false, 1338 'delete' => false, 1339 1339 ), 1340 1340 ); 1341 1341 1342 if ( current_user_can( 'edit_post', $attachment->ID ) ) 1343 $response['nonces']['update'] = wp_create_nonce( 'update-post_' . $attachment->ID ); 1344 1345 if ( current_user_can( 'delete_post', $attachment->ID ) ) 1346 $response['nonces']['delete'] = wp_create_nonce( 'delete-post_' . $attachment->ID ); 1347 1342 1348 if ( $meta && 'image' === $type ) { 1343 1349 $sizes = array(); 1344 1350 $possible_sizes = apply_filters( 'image_size_names_choose', array( … … 1690 1696 <# if ( 'image' === data.type && ! data.uploading && data.width && data.height ) { #> 1691 1697 <div class="dimensions">{{ data.width }} × {{ data.height }}</div> 1692 1698 <# } #> 1693 <# if ( ! data.uploading ) { #>1699 <# if ( ! data.uploading && data.nonces['delete'] ) { #> 1694 1700 <div class="delete-attachment"> 1695 1701 <a href="#"><?php _e( 'Delete Permanently' ); ?></a> 1696 1702 </div> -
wp-admin/includes/ajax-actions.php
1812 1812 if ( ! $id = absint( $_REQUEST['id'] ) ) 1813 1813 wp_send_json_error(); 1814 1814 1815 if ( ! current_user_can( 'read_post',$id ) )1815 if ( ! $post = get_post( $id ) ) 1816 1816 wp_send_json_error(); 1817 1817 1818 if ( 'attachment' != $post->post_type ) 1819 wp_send_json_error(); 1820 1821 if ( ! current_user_can( 'upload_files' ) ) 1822 wp_send_json_error(); 1823 1818 1824 if ( ! $attachment = wp_prepare_attachment_for_js( $id ) ) 1819 1825 wp_send_json_error(); 1820 1826 … … 1827 1833 * @since 3.5.0 1828 1834 */ 1829 1835 function wp_ajax_query_attachments() { 1836 if ( ! current_user_can( 'upload_files' ) ) 1837 wp_send_json_error(); 1838 1830 1839 $query = isset( $_REQUEST['query'] ) ? (array) $_REQUEST['query'] : array(); 1831 1840 $query = array_intersect_key( $query, array_flip( array( 1832 1841 's', 'order', 'orderby', 'posts_per_page', 'paged', 'post_mime_type', … … 1988 1997 if ( ! $post = get_post( $id ) ) 1989 1998 wp_send_json_error(); 1990 1999 1991 if ( ! current_user_can( 'edit_post', $id ) )1992 wp_send_json_error();1993 1994 2000 if ( 'attachment' != $post->post_type ) 1995 2001 wp_send_json_error(); 1996 2002 1997 // If this attachment is unattached, attach it. Primarily a back compat thing. 1998 if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) { 1999 wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) ); 2003 if ( current_user_can( 'edit_post', $id ) ) { 2004 // If this attachment is unattached, attach it. Primarily a back compat thing. 2005 if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) { 2006 wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) ); 2007 } 2000 2008 } 2001 2009 2002 2010 $rel = $url = '';