REST API: Attachments controller should respect upload limits.

When the REST API is in use on WordPress multisite, the `WP_REST_Attachments_Controller` should respect the "Max upload file size" and "Site upload space" site options. Props flixos90, danielbachhuber. Merges [43462] to the 4.9 branch. Fixes #43751. Built from https://develop.svn.wordpress.org/branches/4.9@43489 git-svn-id: http://core.svn.wordpress.org/branches/4.9@43316 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-09-29 07:37:44 +02:00 · 2018-07-17 16:12:27 +00:00 · 2018-07-17 16:12:27 +00:00 · d413bb103d
commit d413bb103d
parent c22ddf38ed
2 changed files with 49 additions and 1 deletions
--- a/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
+++ b/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
@ -559,6 +559,11 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 			'type'     => $type,
 		);

+		$size_check = self::check_upload_size( $file_data );
+		if ( is_wp_error( $size_check ) ) {
+			return $size_check;
+		}
+
 		$overrides = array(
 			'test_form' => false,
 		);
@ -726,6 +731,11 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 			$overrides['action'] = 'wp_handle_mock_upload';
 		}

+		$size_check = self::check_upload_size( $files['file'] );
+		if ( is_wp_error( $size_check ) ) {
+			return $size_check;
+		}
+
 		/** Include admin functions to get access to wp_handle_upload() */
 		require_once ABSPATH . 'wp-admin/includes/admin.php';

@ -763,4 +773,42 @@ class WP_REST_Attachments_Controller extends WP_REST_Posts_Controller {
 		return $media_types;
 	}

+	/**
+	 * Determine if uploaded file exceeds space quota on multisite.
+	 *
+	 * Replicates check_upload_size().
+	 *
+	 * @since 4.9.8
+	 *
+	 * @param array $file $_FILES array for a given file.
+	 * @return true|WP_Error True if can upload, error for errors.
+	 */
+	protected function check_upload_size( $file ) {
+		if ( ! is_multisite() ) {
+			return true;
+		}
+
+		if ( get_site_option( 'upload_space_check_disabled' ) ) {
+			return true;
+		}
+
+		$space_left = get_upload_space_available();
+
+		$file_size = filesize( $file['tmp_name'] );
+		if ( $space_left < $file_size ) {
+			/* translators: %s: required disk space in kilobytes */
+			return new WP_Error( 'rest_upload_limited_space', sprintf( __( 'Not enough space to upload. %s KB needed.' ), number_format( ( $file_size - $space_left ) / KB_IN_BYTES ) ), array( 'status' => 400 ) );
+		}
+
+		if ( $file_size > ( KB_IN_BYTES * get_site_option( 'fileupload_maxk', 1500 ) ) ) {
+			/* translators: %s: maximum allowed file size in kilobytes */
+			return new WP_Error( 'rest_upload_file_too_big', sprintf( __( 'This file is too big. Files must be less than %s KB in size.' ), get_site_option( 'fileupload_maxk', 1500 ) ), array( 'status' => 400 ) );
+		}
+
+		if ( upload_is_user_over_quota( false ) ) {
+			return new WP_Error( 'rest_upload_user_quota_exceeded', __( 'You have used your space quota. Please delete files before uploading.' ), array( 'status' => 400 ) );
+		}
+		return true;
+	}
+
 }
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.9.8-alpha-43488';
+$wp_version = '4.9.8-alpha-43489';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.