From f61501f57fd6fd489e7729dbaa55a7945b8cffc9 Mon Sep 17 00:00:00 2001
From: Scott Taylor <scott.c.taylor@mac.com>
Date: Tue, 23 Jun 2015 18:20:27 +0000
Subject: [PATCH] The `query-attachments` AJAX action immediately errors out if
 the user doesn't have the `upload_files` cap. As such, the Customizer
 shouldn't show buttons that launch the media modal when the user doesn't have
 the proper permissions to query attachments.

See #32654.

Built from https://develop.svn.wordpress.org/trunk@32913


git-svn-id: http://core.svn.wordpress.org/trunk@32884 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/custom-background.php             | 2 ++
 wp-admin/custom-header.php                 | 2 +-
 wp-includes/class-wp-customize-control.php | 9 +++++++--
 wp-includes/version.php                    | 2 +-
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/wp-admin/custom-background.php b/wp-admin/custom-background.php
index 73855e5170..61a700af5e 100644
--- a/wp-admin/custom-background.php
+++ b/wp-admin/custom-background.php
@@ -259,6 +259,7 @@ class Custom_Background {
 </tr>
 <?php endif; ?>
 
+<?php if ( current_user_can( 'upload_files' ) ): ?>
 <tr>
 <th scope="row"><?php _e('Select Image'); ?></th>
 <td><form enctype="multipart/form-data" id="upload-form" class="wp-upload-form" method="post">
@@ -278,6 +279,7 @@ class Custom_Background {
 	</form>
 </td>
 </tr>
+<?php endif; ?>
 </tbody>
 </table>
 
diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php
index 9753897ecb..966d356639 100644
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@@ -509,7 +509,7 @@ class Custom_Image_Header {
 </tr>
 <?php endif; ?>
 
-<?php if ( current_theme_supports( 'custom-header', 'uploads' ) ) : ?>
+<?php if ( current_user_can( 'upload_files' ) && current_theme_supports( 'custom-header', 'uploads' ) ) : ?>
 <tr>
 <th scope="row"><?php _e( 'Select Image' ); ?></th>
 <td>
diff --git a/wp-includes/class-wp-customize-control.php b/wp-includes/class-wp-customize-control.php
index cf41933eab..29ddae08af 100644
--- a/wp-includes/class-wp-customize-control.php
+++ b/wp-includes/class-wp-customize-control.php
@@ -721,6 +721,7 @@ class WP_Customize_Media_Control extends WP_Customize_Control {
 		$this->json['label'] = html_entity_decode( $this->label, ENT_QUOTES, get_bloginfo( 'charset' ) );
 		$this->json['mime_type'] = $this->mime_type;
 		$this->json['button_labels'] = $this->button_labels;
+		$this->json['canUpload'] = current_user_can( 'upload_files' );
 
 		$value = $this->value();
 
@@ -823,9 +824,11 @@ class WP_Customize_Media_Control extends WP_Customize_Control {
 				</div>
 			</div>
 			<div class="actions">
+				<# if ( data.canUpload ) { #>
 				<button type="button" class="button remove-button"><?php echo $this->button_labels['remove']; ?></button>
 				<button type="button" class="button upload-button" id="{{ data.settings['default'] }}-button"><?php echo $this->button_labels['change']; ?></button>
 				<div style="clear:both"></div>
+				<# } #>
 			</div>
 		<# } else { #>
 			<div class="current">
@@ -843,7 +846,9 @@ class WP_Customize_Media_Control extends WP_Customize_Control {
 				<# if ( data.defaultAttachment ) { #>
 					<button type="button" class="button default-button"><?php echo $this->button_labels['default']; ?></button>
 				<# } #>
+				<# if ( data.canUpload ) { #>
 				<button type="button" class="button upload-button" id="{{ data.settings['default'] }}-button"><?php echo $this->button_labels['select']; ?></button>
+				<# } #>
 				<div style="clear:both"></div>
 			</div>
 		<# } #>
@@ -1158,8 +1163,6 @@ class WP_Customize_Header_Image_Control extends WP_Customize_Image_Control {
 		$width = absint( get_theme_support( 'custom-header', 'width' ) );
 		$height = absint( get_theme_support( 'custom-header', 'height' ) );
 		?>
-
-
 		<div class="customize-control-content">
 			<p class="customizer-section-intro">
 				<?php
@@ -1180,11 +1183,13 @@ class WP_Customize_Header_Image_Control extends WP_Customize_Image_Control {
 				</div>
 			</div>
 			<div class="actions">
+				<?php if ( current_user_can( 'upload_files' ) ): ?>
 				<?php /* translators: Hide as in hide header image via the Customizer */ ?>
 				<button type="button"<?php echo $visibility ?> class="button remove"><?php _ex( 'Hide image', 'custom header' ); ?></button>
 				<?php /* translators: New as in add new header image via the Customizer */ ?>
 				<button type="button" class="button new"><?php _ex( 'Add new image', 'header image' ); ?></button>
 				<div style="clear:both"></div>
+				<?php endif; ?>
 			</div>
 			<div class="choices">
 				<span class="customize-control-title header-previously-uploaded">
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 30c1cc54c6..8e956147ce 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.3-alpha-32912';
+$wp_version = '4.3-alpha-32913';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.