Add cap and type checks to media item fetch. For trunk

git-svn-id: http://svn.automattic.com/wordpress/trunk@17390 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2011-02-05 18:22:53 +00:00
parent b9487742e0
commit 3862c4c34c
1 changed files with 7 additions and 0 deletions

View File

@ -30,6 +30,13 @@ if ( !current_user_can('upload_files') )
// just fetch the detail form for that attachment // just fetch the detail form for that attachment
if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id'])) && $_REQUEST['fetch'] ) { if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id'])) && $_REQUEST['fetch'] ) {
$post = get_post( $id );
if ( 'attachment' != $post->post_type )
wp_die( __( 'Unknown post type.' ) );
$post_type_object = get_post_type_object( 'attachment' );
if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) )
wp_die( __( 'You are not allowed to edit this item.' ) );
if ( 2 == $_REQUEST['fetch'] ) { if ( 2 == $_REQUEST['fetch'] ) {
add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2); add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2);
echo get_media_item($id, array( 'send' => false, 'delete' => true )); echo get_media_item($id, array( 'send' => false, 'delete' => true ));