Make WordPress Core

Changeset 17393


Ignore:
Timestamp:
02/05/2011 06:24:55 PM (14 years ago)
Author:
ryan
Message:

Add cap and type checks to media item fetch. For 3.0

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.0/wp-admin/async-upload.php

    r14816 r17393  
    3131// just fetch the detail form for that attachment
    3232if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id'])) && $_REQUEST['fetch'] ) {
     33    $post = get_post( $id );
     34    if ( 'attachment' != $post->post_type )
     35        wp_die( __( 'Unknown post type.' ) );
     36    $post_type_object = get_post_type_object( 'attachment' );
     37    if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) )
     38        wp_die( __( 'You are not allowed to edit this item.' ) );
     39
    3340    if ( 2 == $_REQUEST['fetch'] ) {
    3441        add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2);
Note: See TracChangeset for help on using the changeset viewer.