sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Only show Delete in media modal if the user can delete.

Browse Source 
Props nacin, koopersmith
fixes #22711


git-svn-id: https://develop.svn.wordpress.org/trunk@23032 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Ryan Boren 2012-12-04 18:33:51 +00:00
parent eb3dc78a61
commit fa4b718809
5 changed files with 48 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
wp-admin/includes/ajax-actions.php
View File

@ -1812,7 +1812,13 @@ function wp_ajax_get_attachment() {
if ( ! $id = absint( $_REQUEST['id'] ) ) if ( ! $id = absint( $_REQUEST['id'] ) )
wp_send_json_error(); wp_send_json_error();
if ( ! current_user_can( 'read_post', $id ) ) if ( ! $post = get_post( $id ) )
wp_send_json_error();
if ( 'attachment' != $post->post_type )
wp_send_json_error();
if ( ! current_user_can( 'upload_files' ) )
wp_send_json_error(); wp_send_json_error();
if ( ! $attachment = wp_prepare_attachment_for_js( $id ) ) if ( ! $attachment = wp_prepare_attachment_for_js( $id ) )
@ -1827,6 +1833,9 @@ function wp_ajax_get_attachment() {
* @since 3.5.0 * @since 3.5.0
*/ */
function wp_ajax_query_attachments() { function wp_ajax_query_attachments() {
if ( ! current_user_can( 'upload_files' ) )
wp_send_json_error();
$query = isset( $_REQUEST['query'] ) ? (array) $_REQUEST['query'] : array(); $query = isset( $_REQUEST['query'] ) ? (array) $_REQUEST['query'] : array();
$query = array_intersect_key( $query, array_flip( array( $query = array_intersect_key( $query, array_flip( array(
's', 'order', 'orderby', 'posts_per_page', 'paged', 'post_mime_type', 's', 'order', 'orderby', 'posts_per_page', 'paged', 'post_mime_type',
@ -1988,15 +1997,14 @@ function wp_ajax_send_attachment_to_editor() {
if ( ! $post = get_post( $id ) ) if ( ! $post = get_post( $id ) )
wp_send_json_error(); wp_send_json_error();
if ( ! current_user_can( 'edit_post', $id ) )
wp_send_json_error();
if ( 'attachment' != $post->post_type ) if ( 'attachment' != $post->post_type )
wp_send_json_error(); wp_send_json_error();
// If this attachment is unattached, attach it. Primarily a back compat thing. if ( current_user_can( 'edit_post', $id ) ) {
if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) { // If this attachment is unattached, attach it. Primarily a back compat thing.
wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) ); if ( 0 == $post->post_parent && $insert_into_post_id = intval( $_POST['post_id'] ) ) {
wp_update_post( array( 'ID' => $id, 'post_parent' => $insert_into_post_id ) );
}
} }
$rel = $url = ''; $rel = $url = '';

7
wp-includes/css/media-views.css
View File

@ -61,6 +61,13 @@
border-color: #dfdfdf; border-color: #dfdfdf;
} }
.media-frame input:disabled,
.media-frame textarea:disabled,
.media-frame input[readonly],
.media-frame textarea[readonly] {
background-color: #eee;
}
.media-frame input[type="search"] { .media-frame input[type="search"] {
-webkit-appearance: textfield; -webkit-appearance: textfield;
} }

11
wp-includes/js/media-models.js
View File

@ -219,7 +219,7 @@ window.wp = window.wp || {};
// If the attachment does not yet have an `id`, return an instantly // If the attachment does not yet have an `id`, return an instantly
// rejected promise. Otherwise, all of our requests will fail. // rejected promise. Otherwise, all of our requests will fail.
if ( _.isUndefined( this.id ) ) if ( _.isUndefined( this.id ) )
return $.Deferred().reject().promise(); return $.Deferred().rejectWith( this ).promise();
// Overload the `read` request so Attachment.fetch() functions correctly. // Overload the `read` request so Attachment.fetch() functions correctly.
if ( 'read' === method ) { if ( 'read' === method ) {
@ -233,8 +233,9 @@ window.wp = window.wp || {};
// Overload the `update` request so properties can be saved. // Overload the `update` request so properties can be saved.
} else if ( 'update' === method ) { } else if ( 'update' === method ) {
if ( ! this.get('nonces') ) // If we do not have the necessary nonce, fail immeditately.
return $.Deferred().resolveWith( this ).promise(); if ( ! this.get('nonces') || ! this.get('nonces').update )
return $.Deferred().rejectWith( this ).promise();
options = options || {}; options = options || {};
options.context = this; options.context = this;
@ -286,6 +287,10 @@ window.wp = window.wp || {};
saveCompat: function( data, options ) { saveCompat: function( data, options ) {
var model = this; var model = this;
// If we do not have the necessary nonce, fail immeditately.
if ( ! this.get('nonces') || ! this.get('nonces').update )
return $.Deferred().rejectWith( this ).promise();
return media.post( 'save-attachment-compat', _.defaults({ return media.post( 'save-attachment-compat', _.defaults({
id: this.id, id: this.id,
nonce: this.get('nonces').update, nonce: this.get('nonces').update,

13
wp-includes/js/media-views.js
View File

@ -2756,8 +2756,7 @@
}, },
render: function() { render: function() {
var attachment = this.model.toJSON(), var options = _.defaults( this.model.toJSON(), {
options = _.defaults( this.model.toJSON(), {
orientation: 'landscape', orientation: 'landscape',
uploading: false, uploading: false,
type: '', type: '',
@ -2779,6 +2778,12 @@
if ( 'image' === options.type ) if ( 'image' === options.type )
options.size = this.imageSize(); options.size = this.imageSize();
options.can = {};
if ( options.nonces ) {
options.can.remove = !! options.nonces['delete'];
options.can.save = !! options.nonces.update;
}
this.views.detach(); this.views.detach();
this.$el.html( this.template( options ) ); this.$el.html( this.template( options ) );
@ -2967,12 +2972,12 @@
this.updateSave('waiting'); this.updateSave('waiting');
save.requests = requests; save.requests = requests;
requests.done( function() { requests.always( function() {
// If we've performed another request since this one, bail. // If we've performed another request since this one, bail.
if ( save.requests !== requests ) if ( save.requests !== requests )
return; return;
view.updateSave('complete'); view.updateSave( requests.state() === 'resolved' ? 'complete' : 'error' );
save.savedTimer = setTimeout( function() { save.savedTimer = setTimeout( function() {
view.updateSave('ready'); view.updateSave('ready');
delete save.savedTimer; delete save.savedTimer;

12
wp-includes/media.php
View File

@ -1334,11 +1334,17 @@ function wp_prepare_attachment_for_js( $attachment ) {
'icon' => wp_mime_type_icon( $attachment->ID ), 'icon' => wp_mime_type_icon( $attachment->ID ),
'dateFormatted' => mysql2date( get_option('date_format'), $attachment->post_date ), 'dateFormatted' => mysql2date( get_option('date_format'), $attachment->post_date ),
'nonces' => array( 'nonces' => array(
'update' => wp_create_nonce( 'update-post_' . $attachment->ID ), 'update' => false,
'delete' => wp_create_nonce( 'delete-post_' . $attachment->ID ), 'delete' => false,
), ),
); );
if ( current_user_can( 'edit_post', $attachment->ID ) )
$response['nonces']['update'] = wp_create_nonce( 'update-post_' . $attachment->ID );
if ( current_user_can( 'delete_post', $attachment->ID ) )
$response['nonces']['delete'] = wp_create_nonce( 'delete-post_' . $attachment->ID );
if ( $meta && 'image' === $type ) { if ( $meta && 'image' === $type ) {
$sizes = array(); $sizes = array();
$possible_sizes = apply_filters( 'image_size_names_choose', array( $possible_sizes = apply_filters( 'image_size_names_choose', array(
@ -1690,7 +1696,7 @@ function wp_print_media_templates() {
<# if ( 'image' === data.type && ! data.uploading && data.width && data.height ) { #> <# if ( 'image' === data.type && ! data.uploading && data.width && data.height ) { #>
<div class="dimensions">{{ data.width }} &times; {{ data.height }}</div> <div class="dimensions">{{ data.width }} &times; {{ data.height }}</div>
<# } #> <# } #>
<# if ( ! data.uploading ) { #> <# if ( ! data.uploading && data.can.remove ) { #>
<div class="delete-attachment"> <div class="delete-attachment">
<a href="#"><?php _e( 'Delete Permanently' ); ?></a> <a href="#"><?php _e( 'Delete Permanently' ); ?></a>
</div> </div>