diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index 50c7b58a81..b842dfadc3 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -1833,6 +1833,8 @@ function wp_ajax_save_attachment() { if ( ! $id = absint( $_REQUEST['id'] ) ) wp_send_json_error(); + check_ajax_referer( 'save-attachment', 'nonce' ); + if ( ! current_user_can( 'edit_post', $id ) ) wp_send_json_error(); diff --git a/wp-includes/js/media-models.js b/wp-includes/js/media-models.js index 4e15f4f297..c64c4e655a 100644 --- a/wp-includes/js/media-models.js +++ b/wp-includes/js/media-models.js @@ -1,7 +1,7 @@ window.wp = window.wp || {}; (function($){ - var Attachment, Attachments, Query, compare; + var Attachment, Attachments, Query, compare, l10n; /** * wp.media( attributes ) @@ -20,6 +20,9 @@ window.wp = window.wp || {}; _.extend( media, { model: {}, view: {}, controller: {} }); + // Link any localized strings. + l10n = media.model.l10n = _.isUndefined( _wpMediaModelsL10n ) ? {} : _wpMediaModelsL10n; + /** * ======================================================================== * UTILITIES @@ -192,7 +195,8 @@ window.wp = window.wp || {}; // Set the action and ID. options.data = _.extend( options.data || {}, { action: 'save-attachment', - id: this.id + id: this.id, + nonce: l10n.saveAttachmentNonce }); // Record the values of the changed attributes. diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php index 86c0035708..0926dc3796 100644 --- a/wp-includes/script-loader.php +++ b/wp-includes/script-loader.php @@ -315,6 +315,10 @@ function wp_default_scripts( &$scripts ) { ) ); $scripts->add( 'media-models', "/wp-includes/js/media-models$suffix.js", array( 'backbone', 'jquery' ), false, 1 ); + did_action( 'init' ) && $scripts->localize( 'media-models', '_wpMediaModelsL10n', array( + 'saveAttachmentNonce' => wp_create_nonce( 'save-attachment' ), + ) ); + $scripts->add( 'media-views', "/wp-includes/js/media-views$suffix.js", array( 'media-models', 'wp-plupload' ), false, 1 ); did_action( 'init' ) && $scripts->localize( 'media-views', '_wpMediaViewsL10n', array( // Generic