From fd15794b5ce70bdb699a53be5081e88850ced32d Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 16 Nov 2014 05:47:21 +0000 Subject: [PATCH] Add some specific JSON responses when there are user permission errors for AJAX file uploads. Replace some usage of `wp_json_encode()` with `wp_send_json_*()`. See #25849 Props gcorne Built from https://develop.svn.wordpress.org/trunk@30354 git-svn-id: http://core.svn.wordpress.org/trunk@30353 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/async-upload.php | 11 ++++---- wp-admin/includes/ajax-actions.php | 45 +++++++++++++----------------- 2 files changed, 25 insertions(+), 31 deletions(-) diff --git a/wp-admin/async-upload.php b/wp-admin/async-upload.php index 9a326ac14f..829a791af0 100644 --- a/wp-admin/async-upload.php +++ b/wp-admin/async-upload.php @@ -32,11 +32,6 @@ if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['actio require_once( ABSPATH . 'wp-admin/admin.php' ); -if ( !current_user_can('upload_files') ) - wp_die(__('You do not have permission to upload files.')); - -header('Content-Type: text/html; charset=' . get_option('blog_charset')); - if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) { include( ABSPATH . 'wp-admin/includes/ajax-actions.php' ); @@ -47,6 +42,12 @@ if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] die( '0' ); } +if ( ! current_user_can( 'upload_files' ) ) { + wp_die( __( 'You do not have permission to upload files.' ) ); +} + +header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) ); + // just fetch the detail form for that attachment if ( isset($_REQUEST['attachment_id']) && ($id = intval($_REQUEST['attachment_id'])) && $_REQUEST['fetch'] ) { $post = get_post( $id ); diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index 20fa265ee4..303f3b2643 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -1833,13 +1833,21 @@ function wp_ajax_update_widget() { function wp_ajax_upload_attachment() { check_ajax_referer( 'media-form' ); - if ( ! current_user_can( 'upload_files' ) ) - wp_die(); + if ( ! current_user_can( 'upload_files' ) ) { + wp_send_json_error( array( + 'message' => __( "You don't have permission to upload files." ), + 'filename' => $_FILES['async-upload']['name'], + ) ); + } if ( isset( $_REQUEST['post_id'] ) ) { $post_id = $_REQUEST['post_id']; - if ( ! current_user_can( 'edit_post', $post_id ) ) - wp_die(); + if ( ! current_user_can( 'edit_post', $post_id ) ) { + wp_send_json_error( array( + 'message' => __( "You don't have permission to attach files to this post." ), + 'filename' => $_FILES['async-upload']['name'], + ) ); + } } else { $post_id = null; } @@ -1850,30 +1858,20 @@ function wp_ajax_upload_attachment() { if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) { $wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'], false ); if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) { - echo wp_json_encode( array( - 'success' => false, - 'data' => array( - 'message' => __( 'The uploaded file is not a valid image. Please try again.' ), - 'filename' => $_FILES['async-upload']['name'], - ) + wp_send_json_error( array( + 'message' => __( 'The uploaded file is not a valid image. Please try again.' ), + 'filename' => $_FILES['async-upload']['name'], ) ); - - wp_die(); } } $attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data ); if ( is_wp_error( $attachment_id ) ) { - echo wp_json_encode( array( - 'success' => false, - 'data' => array( - 'message' => $attachment_id->get_error_message(), - 'filename' => $_FILES['async-upload']['name'], - ) + wp_send_json_error( array( + 'message' => $attachment_id->get_error_message(), + 'filename' => $_FILES['async-upload']['name'], ) ); - - wp_die(); } if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) { @@ -1887,12 +1885,7 @@ function wp_ajax_upload_attachment() { if ( ! $attachment = wp_prepare_attachment_for_js( $attachment_id ) ) wp_die(); - echo wp_json_encode( array( - 'success' => true, - 'data' => $attachment, - ) ); - - wp_die(); + wp_send_json_success( $attachment ); } /**