Changeset 31334

Timestamp:

02/05/2015 06:04:32 AM (10 years ago)

Author:

pento

Message:

Shiny Updates: Add capability checks to the ajax callbacks, to ensure the current user is allowed to install/update plugins.

See #29820

File:

• trunk/src/wp-admin/includes/ajax-actions.php (modified) (2 diffs)

trunk/src/wp-admin/includes/ajax-actions.php

@@ -2836 +2836 @@
  */
 function wp_ajax_install_plugin() {
+    if ( ! current_user_can( 'install_plugins' ) ) {
+        wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
+    }
+
     check_ajax_referer( 'updates' );
 
@@ -2876 +2880 @@
  */
 function wp_ajax_update_plugin() {
+    if ( ! current_user_can( 'update_plugins' ) ) {
+        wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
+    }
+
     check_ajax_referer( 'updates' );