[wp-trac] [WordPress Trac] #22711: Only show Delete in media modal if the user can delete

WordPress Trac noreply at wordpress.org
Tue Dec 4 14:45:17 UTC 2012


#22711: Only show Delete in media modal if the user can delete
------------------------------+------------------
 Reporter:  nacin             |       Owner:
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:  3.5
Component:  Media             |     Version:
 Severity:  normal            |  Resolution:
 Keywords:  has-patch commit  |
------------------------------+------------------

Comment (by nacin):

 Here's an audit (with patch) —

 '''wp_ajax_send_link_to_editor''' - nonce. no cap check, no object to act
 on.

 '''wp_ajax_send_attachment_to_editor''' - nonce. no cap check normally.
 edit_post cap check for attaching an unattached item. attachment post type
 check.

 '''wp_ajax_save_attachment_order''' - nonce, edit_post cap check for the
 post things are attached to, and edit_post on each attachment (with post
 type check). same as 3.4. (which included the possibility of only some of
 the menu order saving, if you could only edit some attachments.)

 '''wp_ajax_save_attachment_compat''' - nonce, edit_post cap check.
 attachment post type check.

 '''wp_ajax_save_attachment''' - nonce, edit_post cap check. attachment
 post type check.

 '''wp_ajax_query_attachments''' - generic upload_files cap check.
 private_posts cap check to see if private attachments should be included.
 no nonce as it is a get. no edit_post or read_post cap check as a user
 does not need to be able to edit or read an attachment's parent (under
 "inherit" rules) to be able to view and insert said attachment in 3.4.

 '''wp_ajax_get_attachment''' - generic upload_files cap check. attachment
 post type check. no nonce as it is a get. no edit_post or read_post cap
 check as a user does not need to be able to edit or read an attachment's
 parent (under "inherit" rules) to be able to view and insert said
 attachment in 3.4.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/22711#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list