WordPress.org

Make WordPress Core

Ticket #31236: 31236.patch

File 31236.patch, 625 bytes (added by joemcgill, 7 years ago)

Fixes incorrect capability check.

  • src/wp-admin/includes/ajax-actions.php

    diff --git src/wp-admin/includes/ajax-actions.php src/wp-admin/includes/ajax-actions.php
    index c5718ae..28a7838 100644
    function wp_ajax_upload_attachment() { 
    18551855
    18561856        if ( isset( $_REQUEST['post_id'] ) ) {
    18571857                $post_id = $_REQUEST['post_id'];
    1858                 if ( ! current_user_can( 'edit_post', $post_id ) ) {
     1858                if ( ! current_user_can( 'edit_posts', $post_id ) ) {
    18591859                        wp_send_json_error( array(
    18601860                                'message'  => __( "You don't have permission to attach files to this post." ),
    18611861                                'filename' => $_FILES['async-upload']['name'],