WordPress.org

Make WordPress Core

Changeset 23032


Ignore:
Timestamp:
12/04/2012 06:33:51 PM (6 years ago)
Author:
ryan
Message:

Only show Delete in media modal if the user can delete.

Props nacin, koopersmith
fixes #22711

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/ajax-actions.php

    r22994 r23032  
    18131813        wp_send_json_error();
    18141814
    1815     if ( ! current_user_can( 'read_post', $id ) )
     1815    if ( ! $post = get_post( $id ) )
     1816        wp_send_json_error();
     1817
     1818    if ( 'attachment' != $post->post_type )
     1819        wp_send_json_error();
     1820
     1821    if ( ! current_user_can( 'upload_files' ) )
    18161822        wp_send_json_error();
    18171823
     
    18281834 */
    18291835function wp_ajax_query_attachments() {
     1836    if ( ! current_user_can( 'upload_files' ) )
     1837        wp_send_json_error();
     1838
    18301839    $query = isset( $_REQUEST['query'] ) ? (array) $_REQUEST['query'] : array();
    18311840    $query = array_intersect_key( $query, array_flip( array(
     
    19891998        wp_send_json_error();
    19901999
    1991     if ( ! current_user_can( 'edit_post', $id ) )
    1992         wp_send_json_error();
    1993 
    19942000    if ( 'attachment' != $post->post_type )
    19952001        wp_send_json_error();
    19962002
    1997     // If this attachment is unattached, attach it. Primarily a back compat thing.
    1998     if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) {
    1999         wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) );
     2003    if ( current_user_can( 'edit_post', $id ) ) {
     2004        // If this attachment is unattached, attach it. Primarily a back compat thing.
     2005        if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) {
     2006            wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) );
     2007        }
    20002008    }
    20012009
  • trunk/wp-includes/css/media-views.css

    r23031 r23032  
    6262}
    6363
     64.media-frame input:disabled,
     65.media-frame textarea:disabled,
     66.media-frame input[readonly],
     67.media-frame textarea[readonly] {
     68    background-color: #eee;
     69}
     70
    6471.media-frame input[type="search"] {
    6572    -webkit-appearance: textfield;
  • trunk/wp-includes/js/media-models.js

    r22994 r23032  
    220220            // rejected promise. Otherwise, all of our requests will fail.
    221221            if ( _.isUndefined( this.id ) )
    222                 return $.Deferred().reject().promise();
     222                return $.Deferred().rejectWith( this ).promise();
    223223
    224224            // Overload the `read` request so Attachment.fetch() functions correctly.
     
    234234            // Overload the `update` request so properties can be saved.
    235235            } else if ( 'update' === method ) {
    236                 if ( ! this.get('nonces') )
    237                     return $.Deferred().resolveWith( this ).promise();
     236                // If we do not have the necessary nonce, fail immeditately.
     237                if ( ! this.get('nonces') || ! this.get('nonces').update )
     238                    return $.Deferred().rejectWith( this ).promise();
    238239
    239240                options = options || {};
     
    286287        saveCompat: function( data, options ) {
    287288            var model = this;
     289
     290            // If we do not have the necessary nonce, fail immeditately.
     291            if ( ! this.get('nonces') || ! this.get('nonces').update )
     292                return $.Deferred().rejectWith( this ).promise();
    288293
    289294            return media.post( 'save-attachment-compat', _.defaults({
  • trunk/wp-includes/js/media-views.js

    r23031 r23032  
    27572757
    27582758        render: function() {
    2759             var attachment = this.model.toJSON(),
    2760                 options = _.defaults( this.model.toJSON(), {
     2759            var options = _.defaults( this.model.toJSON(), {
    27612760                    orientation:   'landscape',
    27622761                    uploading:     false,
     
    27802779                options.size = this.imageSize();
    27812780
     2781            options.can = {};
     2782            if ( options.nonces ) {
     2783                options.can.remove = !! options.nonces['delete'];
     2784                options.can.save = !! options.nonces.update;
     2785            }
     2786
    27822787            this.views.detach();
    27832788            this.$el.html( this.template( options ) );
     
    29682973            this.updateSave('waiting');
    29692974            save.requests = requests;
    2970             requests.done( function() {
     2975            requests.always( function() {
    29712976                // If we've performed another request since this one, bail.
    29722977                if ( save.requests !== requests )
    29732978                    return;
    29742979
    2975                 view.updateSave('complete');
     2980                view.updateSave( requests.state() === 'resolved' ? 'complete' : 'error' );
    29762981                save.savedTimer = setTimeout( function() {
    29772982                    view.updateSave('ready');
  • trunk/wp-includes/media.php

    r23021 r23032  
    13351335        'dateFormatted' => mysql2date( get_option('date_format'), $attachment->post_date ),
    13361336        'nonces'      => array(
    1337             'update' => wp_create_nonce( 'update-post_' . $attachment->ID ),
    1338             'delete' => wp_create_nonce( 'delete-post_' . $attachment->ID ),
     1337            'update' => false,
     1338            'delete' => false,
    13391339        ),
    13401340    );
     1341
     1342    if ( current_user_can( 'edit_post', $attachment->ID ) )
     1343        $response['nonces']['update'] = wp_create_nonce( 'update-post_' . $attachment->ID );
     1344
     1345    if ( current_user_can( 'delete_post', $attachment->ID ) )
     1346        $response['nonces']['delete'] = wp_create_nonce( 'delete-post_' . $attachment->ID );
    13411347
    13421348    if ( $meta && 'image' === $type ) {
     
    16911697                    <div class="dimensions">{{ data.width }} &times; {{ data.height }}</div>
    16921698                <# } #>
    1693                 <# if ( ! data.uploading ) { #>
     1699                <# if ( ! data.uploading && data.can.remove ) { #>
    16941700                    <div class="delete-attachment">
    16951701                        <a href="#"><?php _e( 'Delete Permanently' ); ?></a>
Note: See TracChangeset for help on using the changeset viewer.