Skip to content
Browse files

Add cap and type checks to media item fetch. For 3.0

git-svn-id: http://svn.automattic.com/wordpress/branches/3.0@17393 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
1 parent 253569c commit b11819e6079cc81264f6f6fa5f2e145445b8e458 ryan committed Feb 5, 2011
Showing with 7 additions and 0 deletions.
  1. +7 −0 wp-admin/async-upload.php
View
7 wp-admin/async-upload.php
@@ -30,6 +30,13 @@
// just fetch the detail form for that attachment
if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id'])) && $_REQUEST['fetch'] ) {
+ $post = get_post( $id );
+ if ( 'attachment' != $post->post_type )
+ wp_die( __( 'Unknown post type.' ) );
+ $post_type_object = get_post_type_object( 'attachment' );
+ if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) )
+ wp_die( __( 'You are not allowed to edit this item.' ) );
+
if ( 2 == $_REQUEST['fetch'] ) {
add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2);
echo get_media_item($id, array( 'send' => false, 'delete' => true ));

0 comments on commit b11819e

Please sign in to comment.
Something went wrong with that request. Please try again.