X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/1c09677af04c9e37714e09b73eb9dbc5b2e3eb13..refs/tags/wordpress-3.3.1-scripts:/wp-admin/async-upload.php diff --git a/wp-admin/async-upload.php b/wp-admin/async-upload.php index a384453a..1bd267fa 100644 --- a/wp-admin/async-upload.php +++ b/wp-admin/async-upload.php @@ -21,15 +21,22 @@ elseif ( empty($_COOKIE[AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) ) if ( empty($_COOKIE[LOGGED_IN_COOKIE]) && !empty($_REQUEST['logged_in_cookie']) ) $_COOKIE[LOGGED_IN_COOKIE] = $_REQUEST['logged_in_cookie']; unset($current_user); -require_once('admin.php'); +require_once('./admin.php'); -header('Content-Type: text/plain; charset=' . get_option('blog_charset')); +header('Content-Type: text/html; charset=' . get_option('blog_charset')); if ( !current_user_can('upload_files') ) wp_die(__('You do not have permission to upload files.')); // just fetch the detail form for that attachment if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id'])) && $_REQUEST['fetch'] ) { + $post = get_post( $id ); + if ( 'attachment' != $post->post_type ) + wp_die( __( 'Unknown post type.' ) ); + $post_type_object = get_post_type_object( 'attachment' ); + if ( ! current_user_can( $post_type_object->cap->edit_post, $id ) ) + wp_die( __( 'You are not allowed to edit this item.' ) ); + if ( 2 == $_REQUEST['fetch'] ) { add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2); echo get_media_item($id, array( 'send' => false, 'delete' => true )); @@ -43,16 +50,18 @@ if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id check_admin_referer('media-form'); $id = media_handle_upload('async-upload', $_REQUEST['post_id']); -if (is_wp_error($id)) { - echo '