From 1dd324451f561a424674a03d87d9fde8c107696b Mon Sep 17 00:00:00 2001
From: nacin <nacin@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Tue, 7 Dec 2010 18:59:25 +0000
Subject: [PATCH] Use assign_terms cap for tag search and tag cloud in admin
 ajax. fixes #15437.

git-svn-id: http://svn.automattic.com/wordpress/trunk@16771 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/admin-ajax.php | 40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php
index 51e9d59560..9ab0bbd4f0 100644
--- a/wp-admin/admin-ajax.php
+++ b/wp-admin/admin-ajax.php
@@ -66,16 +66,19 @@ case 'fetch-list' :
 	die( '0' );
 	break;
 case 'ajax-tag-search' :
-	if ( !current_user_can( 'edit_posts' ) )
-		die('-1');
+	if ( isset( $_GET['tax'] ) ) {
+		$taxonomy = sanitize_key( $_GET['tax'] );
+		$tax = get_taxonomy( $taxonomy );
+		if ( ! $tax )
+			die( '0' );
+		if ( ! current_user_can( $tax->cap->assign_terms ) )
+			die( '-1' );
+	} else {
+		die('0');
+	}
 
 	$s = $_GET['q']; // is this slashed already?
 
-	if ( isset($_GET['tax']) )
-		$taxonomy = sanitize_title($_GET['tax']);
-	else
-		die('0');
-
 	if ( false !== strpos( $s, ',' ) ) {
 		$s = explode( ',', $s );
 		$s = $s[count( $s ) - 1];
@@ -547,23 +550,24 @@ case 'add-tag' :
 	$x->send();
 	break;
 case 'get-tagcloud' :
-	if ( !current_user_can( 'edit_posts' ) )
-		die('-1');
-
-	if ( isset($_POST['tax']) )
-		$taxonomy = sanitize_title($_POST['tax']);
-	else
+	if ( isset( $_POST['tax'] ) ) {
+		$taxonomy = sanitize_key( $_POST['tax'] );
+		$tax = get_taxonomy( $taxonomy );
+		if ( ! $tax )
+			die( '0' );
+		if ( ! current_user_can( $tax->cap->assign_terms ) )
+			die( '-1' );
+	} else {
 		die('0');
+	}
 
 	$tags = get_terms( $taxonomy, array( 'number' => 45, 'orderby' => 'count', 'order' => 'DESC' ) );
 
-	if ( empty( $tags ) ) {
-		$tax = get_taxonomy( $taxonomy );
+	if ( empty( $tags ) )
 		die( isset( $tax->no_tagcloud ) ? $tax->no_tagcloud : __('No tags found!') );
-	}
 
-	if ( is_wp_error($tags) )
-		die($tags->get_error_message());
+	if ( is_wp_error( $tags ) )
+		die( $tags->get_error_message() );
 
 	foreach ( $tags as $key => $tag ) {
 		$tags[ $key ]->link = '#';