Check the user before overwriting the attachment. Props xknown and Jo…

…seph Scott. fixes #4422

git-svn-id: http://svn.automattic.com/wordpress/branches/2.2@5670 1a063a9b-81f0-0310-95a4-ce76da25c4cd

xmlrpc.php

@@ -1437,6 +1437,21 @@ function mw_newMediaObject($args) {
 		$type = $data['type'];
 		$bits = $data['bits'];
 
+		logIO('O', '(MW) Received '.strlen($bits).' bytes');
+
+		if ( !$this->login_pass_ok($user_login, $user_pass) )
+			return $this->error;
+
+		set_current_user(0, $user_login);
+		if ( !current_user_can('upload_files') ) {
+			logIO('O', '(MW) User does not have upload_files capability');
+			$this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
+			return $this->error;
+		}
+
+		if ( $upload_err = apply_filters( "pre_upload_error", false ) )
+			return new IXR_Error(500, $upload_err);
+
 		if(!empty($data["overwrite"]) && ($data["overwrite"] == true)) {
 			// Get postmeta info on the object.
 			$old_file = $wpdb->get_row("
@@ -1455,21 +1470,6 @@ function mw_newMediaObject($args) {
 			$name = "wpid{$old_file->ID}-{$filename}";
 		}
 
-		logIO('O', '(MW) Received '.strlen($bits).' bytes');
-
-		if ( !$this->login_pass_ok($user_login, $user_pass) )
-			return $this->error;
-
-		set_current_user(0, $user_login);
-		if ( !current_user_can('upload_files') ) {
-			logIO('O', '(MW) User does not have upload_files capability');
-			$this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
-			return $this->error;
-		}
-
-		if ( $upload_err = apply_filters( "pre_upload_error", false ) )
-			return new IXR_Error(500, $upload_err);
-
 		$upload = wp_upload_bits($name, $type, $bits, $overwrite);
 		if ( ! empty($upload['error']) ) {
 			$errorString = 'Could not write file ' . $name . ' (' . $upload['error'] . ')';