From 77087fe6faaf0cce35370d2bcb79615063985d04 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Fri, 25 Apr 2008 15:01:02 +0000
Subject: [PATCH] Add cap checks. see #6838

git-svn-id: http://svn.automattic.com/wordpress/trunk@7827 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/media.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/wp-admin/media.php b/wp-admin/media.php
index b280d3ab0..0df44e9d6 100644
--- a/wp-admin/media.php
+++ b/wp-admin/media.php
@@ -11,6 +11,12 @@ switch( $action ) :
 case 'editattachment' :
 	$errors = media_upload_form_handler();
 	$attachment_id = (int) $_POST['attachment_id'];
+
+	check_admin_referer('media-form');
+
+	if ( !current_user_can('edit_post', $attachment_id) )
+		wp_die ( __('You are not allowed to edit this attachment.') );
+
 	if ( empty($errors) ) {
 		$location = 'media.php';
 		if ( $referer = wp_get_original_referer() ) {
@@ -39,6 +45,10 @@ case 'edit' :
 		exit();
 	}
 	$att_id = (int) $_GET['attachment_id'];
+
+	if ( !current_user_can('edit_post', $att_id) )
+		wp_die ( __('You are not allowed to edit this attachment.') );
+
 	$att = get_post($att_id);
 
 	add_filter('attachment_fields_to_edit', 'media_single_attachment_fields_to_edit', 10, 2);