Add cap checks. see #6838

git-svn-id: http://svn.automattic.com/wordpress/trunk@7827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-04-25 15:01:02 +00:00 · 2008-04-25 15:01:02 +00:00 · 77087fe6fa
parent 4b2959f55b
commit 77087fe6fa
1 changed files with 10 additions and 0 deletions
--- a/wp-admin/media.php
+++ b/wp-admin/media.php
@ -11,6 +11,12 @@ switch( $action ) :
 case 'editattachment' :
 	$errors = media_upload_form_handler();
 	$attachment_id = (int) $_POST['attachment_id'];
+
+	check_admin_referer('media-form');
+
+	if ( !current_user_can('edit_post', $attachment_id) )
+		wp_die ( __('You are not allowed to edit this attachment.') );
+
 	if ( empty($errors) ) {
 		$location = 'media.php';
 		if ( $referer = wp_get_original_referer() ) {
@ -39,6 +45,10 @@ case 'edit' :
 		exit();
 	}
 	$att_id = (int) $_GET['attachment_id'];
+
+	if ( !current_user_can('edit_post', $att_id) )
+		wp_die ( __('You are not allowed to edit this attachment.') );
+
 	$att = get_post($att_id);

 	add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2);