Ticket #22711: 22711.4.diff
| File 22711.4.diff, 6.4 KB (added by , 13 years ago) |
|---|
-
wp-admin/includes/ajax-actions.php
1812 1812 if ( ! $id = absint( $_REQUEST['id'] ) ) 1813 1813 wp_send_json_error(); 1814 1814 1815 if ( ! current_user_can( 'read_post',$id ) )1815 if ( ! $post = get_post( $id ) ) 1816 1816 wp_send_json_error(); 1817 1817 1818 if ( 'attachment' != $post->post_type ) 1819 wp_send_json_error(); 1820 1821 if ( ! current_user_can( 'upload_files' ) ) 1822 wp_send_json_error(); 1823 1818 1824 if ( ! $attachment = wp_prepare_attachment_for_js( $id ) ) 1819 1825 wp_send_json_error(); 1820 1826 … … 1827 1833 * @since 3.5.0 1828 1834 */ 1829 1835 function wp_ajax_query_attachments() { 1836 if ( ! current_user_can( 'upload_files' ) ) 1837 wp_send_json_error(); 1838 1830 1839 $query = isset( $_REQUEST['query'] ) ? (array) $_REQUEST['query'] : array(); 1831 1840 $query = array_intersect_key( $query, array_flip( array( 1832 1841 's', 'order', 'orderby', 'posts_per_page', 'paged', 'post_mime_type', … … 1988 1997 if ( ! $post = get_post( $id ) ) 1989 1998 wp_send_json_error(); 1990 1999 1991 if ( ! current_user_can( 'edit_post', $id ) )1992 wp_send_json_error();1993 1994 2000 if ( 'attachment' != $post->post_type ) 1995 2001 wp_send_json_error(); 1996 2002 1997 // If this attachment is unattached, attach it. Primarily a back compat thing. 1998 if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) { 1999 wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) ); 2003 if ( current_user_can( 'edit_post', $id ) ) { 2004 // If this attachment is unattached, attach it. Primarily a back compat thing. 2005 if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) { 2006 wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) ); 2007 } 2000 2008 } 2001 2009 2002 2010 $rel = $url = ''; -
wp-includes/css/media-views.css
61 61 border-color: #dfdfdf; 62 62 } 63 63 64 .media-frame input:disabled, 65 .media-frame textarea:disabled, 66 .media-frame input[readonly], 67 .media-frame textarea[readonly] { 68 background-color: #eee; 69 } 70 64 71 .media-frame input[type="search"] { 65 72 -webkit-appearance: textfield; 66 73 } -
wp-includes/js/media-models.js
219 219 // If the attachment does not yet have an `id`, return an instantly 220 220 // rejected promise. Otherwise, all of our requests will fail. 221 221 if ( _.isUndefined( this.id ) ) 222 return $.Deferred().reject ().promise();222 return $.Deferred().rejectWith( this ).promise(); 223 223 224 224 // Overload the `read` request so Attachment.fetch() functions correctly. 225 225 if ( 'read' === method ) { … … 233 233 234 234 // Overload the `update` request so properties can be saved. 235 235 } else if ( 'update' === method ) { 236 if ( ! this.get('nonces') ) 237 return $.Deferred().resolveWith( this ).promise(); 236 // If we do not have the necessary nonce, fail immeditately. 237 if ( ! this.get('nonces') || ! this.get('nonces').update ) 238 return $.Deferred().rejectWith( this ).promise(); 238 239 239 240 options = options || {}; 240 241 options.context = this; … … 286 287 saveCompat: function( data, options ) { 287 288 var model = this; 288 289 290 // If we do not have the necessary nonce, fail immeditately. 291 if ( ! this.get('nonces') || ! this.get('nonces').update ) 292 return $.Deferred().rejectWith( this ).promise(); 293 289 294 return media.post( 'save-attachment-compat', _.defaults({ 290 295 id: this.id, 291 296 nonce: this.get('nonces').update, -
wp-includes/js/media-views.js
2756 2756 }, 2757 2757 2758 2758 render: function() { 2759 var attachment = this.model.toJSON(), 2760 options = _.defaults( this.model.toJSON(), { 2759 var options = _.defaults( this.model.toJSON(), { 2761 2760 orientation: 'landscape', 2762 2761 uploading: false, 2763 2762 type: '', … … 2779 2778 if ( 'image' === options.type ) 2780 2779 options.size = this.imageSize(); 2781 2780 2781 options.can = {}; 2782 if ( options.nonces ) { 2783 options.can.remove = !! options.nonces['delete']; 2784 options.can.save = !! options.nonces.update; 2785 } 2786 2782 2787 this.views.detach(); 2783 2788 this.$el.html( this.template( options ) ); 2784 2789 … … 2967 2972 2968 2973 this.updateSave('waiting'); 2969 2974 save.requests = requests; 2970 requests. done( function() {2975 requests.always( function() { 2971 2976 // If we've performed another request since this one, bail. 2972 2977 if ( save.requests !== requests ) 2973 2978 return; 2974 2979 2975 view.updateSave( 'complete');2980 view.updateSave( requests.state() === 'resolved' ? 'complete' : 'error' ); 2976 2981 save.savedTimer = setTimeout( function() { 2977 2982 view.updateSave('ready'); 2978 2983 delete save.savedTimer; -
wp-includes/media.php
1334 1334 'icon' => wp_mime_type_icon( $attachment->ID ), 1335 1335 'dateFormatted' => mysql2date( get_option('date_format'), $attachment->post_date ), 1336 1336 'nonces' => array( 1337 'update' => wp_create_nonce( 'update-post_' . $attachment->ID ),1338 'delete' => wp_create_nonce( 'delete-post_' . $attachment->ID ),1337 'update' => false, 1338 'delete' => false, 1339 1339 ), 1340 1340 ); 1341 1341 1342 if ( current_user_can( 'edit_post', $attachment->ID ) ) 1343 $response['nonces']['update'] = wp_create_nonce( 'update-post_' . $attachment->ID ); 1344 1345 if ( current_user_can( 'delete_post', $attachment->ID ) ) 1346 $response['nonces']['delete'] = wp_create_nonce( 'delete-post_' . $attachment->ID ); 1347 1342 1348 if ( $meta && 'image' === $type ) { 1343 1349 $sizes = array(); 1344 1350 $possible_sizes = apply_filters( 'image_size_names_choose', array( … … 1690 1696 <# if ( 'image' === data.type && ! data.uploading && data.width && data.height ) { #> 1691 1697 <div class="dimensions">{{ data.width }} × {{ data.height }}</div> 1692 1698 <# } #> 1693 <# if ( ! data.uploading ) { #>1699 <# if ( ! data.uploading && data.can.remove ) { #> 1694 1700 <div class="delete-attachment"> 1695 1701 <a href="#"><?php _e( 'Delete Permanently' ); ?></a> 1696 1702 </div>