WordPress.org

Make WordPress Core

Changeset 17393


Ignore:
Timestamp:
02/05/11 18:24:55 (3 years ago)
Author:
ryan
Message:

Add cap and type checks to media item fetch. For 3.0

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.0/wp-admin/async-upload.php

    r14816 r17393  
    3131// just fetch the detail form for that attachment 
    3232if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id'])) && $_REQUEST['fetch'] ) { 
     33    $post = get_post( $id ); 
     34    if ( 'attachment' != $post->post_type ) 
     35        wp_die( __( 'Unknown post type.' ) ); 
     36    $post_type_object = get_post_type_object( 'attachment' ); 
     37    if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) ) 
     38        wp_die( __( 'You are not allowed to edit this item.' ) ); 
     39 
    3340    if ( 2 == $_REQUEST['fetch'] ) { 
    3441        add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2); 
Note: See TracChangeset for help on using the changeset viewer.