Check the user before overwriting the attachment. Props xknown and Joseph Scott. fixes #4422

git-svn-id: http://svn.automattic.com/wordpress/trunk@5671 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
rob1n 2007-06-08 17:07:59 +00:00
parent 64b91fc94b
commit d84178acd7

View File

@ -1429,6 +1429,21 @@ class wp_xmlrpc_server extends IXR_Server {
$type = $data['type'];
$bits = $data['bits'];
logIO('O', '(MW) Received '.strlen($bits).' bytes');
if ( !$this->login_pass_ok($user_login, $user_pass) )
return $this->error;
set_current_user(0, $user_login);
if ( !current_user_can('upload_files') ) {
logIO('O', '(MW) User does not have upload_files capability');
$this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
return $this->error;
}
if ( $upload_err = apply_filters( "pre_upload_error", false ) )
return new IXR_Error(500, $upload_err);
if(!empty($data["overwrite"]) && ($data["overwrite"] == true)) {
// Get postmeta info on the object.
$old_file = $wpdb->get_row("
@ -1447,21 +1462,6 @@ class wp_xmlrpc_server extends IXR_Server {
$name = "wpid{$old_file->ID}-{$filename}";
}
logIO('O', '(MW) Received '.strlen($bits).' bytes');
if ( !$this->login_pass_ok($user_login, $user_pass) )
return $this->error;
set_current_user(0, $user_login);
if ( !current_user_can('upload_files') ) {
logIO('O', '(MW) User does not have upload_files capability');
$this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
return $this->error;
}
if ( $upload_err = apply_filters( "pre_upload_error", false ) )
return new IXR_Error(500, $upload_err);
$upload = wp_upload_bits($name, $type, $bits, $overwrite);
if ( ! empty($upload['error']) ) {
$errorString = sprintf(__('Could not write file %1$s (%2$s)'), $name, $upload['error']);