Shiny Updates: Add capability checks to the ajax callbacks, to ensure the current user is allowed to install/update plugins.

See #29820


Built from https://develop.svn.wordpress.org/trunk@31334


git-svn-id: http://core.svn.wordpress.org/trunk@31315 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2015-02-05 06:05:22 +00:00
parent 9c69213f2b
commit b7926a518a
2 changed files with 9 additions and 1 deletions

View File

@ -2835,6 +2835,10 @@ function wp_ajax_destroy_sessions() {
* @since 4.2.0 * @since 4.2.0
*/ */
function wp_ajax_install_plugin() { function wp_ajax_install_plugin() {
if ( ! current_user_can( 'install_plugins' ) ) {
wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
}
check_ajax_referer( 'updates' ); check_ajax_referer( 'updates' );
include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' ); include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );
@ -2875,6 +2879,10 @@ function wp_ajax_install_plugin() {
* @since 4.2.0 * @since 4.2.0
*/ */
function wp_ajax_update_plugin() { function wp_ajax_update_plugin() {
if ( ! current_user_can( 'update_plugins' ) ) {
wp_die( __('You do not have sufficient permissions to install plugins on this site.') );
}
check_ajax_referer( 'updates' ); check_ajax_referer( 'updates' );
include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' ); include_once( ABSPATH . 'wp-admin/includes/class-wp-upgrader.php' );

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.2-alpha-31333'; $wp_version = '4.2-alpha-31334';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.