Changeset 11819

Timestamp:

01/25/2018 08:15:02 PM (8 years ago)

Author:

djpaul

Message:

Media: improvements to cover image handling methods.

Props slaffik, ripstech.com

File:

• trunk/src/bp-core/bp-core-attachments.php (modified) (5 diffs)

trunk/src/bp-core/bp-core-attachments.php

@@ -448 +448 @@
     $type_dir    = trailingslashit( $bp_attachments_uploads_dir['basedir'] ) . $type_subdir;
 
-    if ( ! is_dir( $type_dir ) ) {
+    if ( 0 !== validate_file( $type_dir ) || ! is_dir( $type_dir ) ) {
         return $attachment_data;
     }
@@ -1304 +1304 @@
     $cover_dir    = trailingslashit( $bp_attachments_uploads_dir['basedir'] ) . $cover_subdir;
 
-    if ( ! is_dir( $cover_dir ) ) {
+    if ( 0 !== validate_file( $cover_dir ) || ! is_dir( $cover_dir ) ) {
         // Upload error response.
         bp_attachments_json_response( false, $is_html4, array(
@@ -1383 +1383 @@
     }
 
-    $cover_image_data = $_POST;
-
-    if ( empty( $cover_image_data['object'] ) || empty( $cover_image_data['item_id'] ) ) {
+    if ( empty( $_POST['object'] ) || empty( $_POST['item_id'] ) ) {
         wp_send_json_error();
     }
 
-    // Check the nonce.
+    $args = array(
+        'object'  => sanitize_text_field( $_POST['object'] ),
+        'item_id' => (int) $_POST['item_id'],
+    );
+
+    // Check permissions.
     check_admin_referer( 'bp_delete_cover_image', 'nonce' );
-
-    // Capability check.
-    if ( ! bp_attachments_current_user_can( 'edit_cover_image', $cover_image_data ) ) {
+    if ( ! bp_attachments_current_user_can( 'edit_cover_image', $args ) ) {
         wp_send_json_error();
     }
 
     // Set object for the user's case.
-    if ( 'user' === $cover_image_data['object'] ) {
+    if ( 'user' === $args['object'] ) {
         $component = 'xprofile';
         $dir       = 'members';
@@ -1404 +1405 @@
     // Set it for any other cases.
     } else {
-        $component = $cover_image_data['object'] . 's';
+        $component = $args['object'] . 's';
         $dir       = $component;
     }
 
     // Handle delete.
-    if ( bp_attachments_delete_file( array( 'item_id' => $cover_image_data['item_id'], 'object_dir' => $dir, 'type' => 'cover-image' ) ) ) {
+    if ( bp_attachments_delete_file( array( 'item_id' => $args['item_id'], 'object_dir' => $dir, 'type' => 'cover-image' ) ) ) {
         /**
          * Fires if the cover image was successfully deleted.
@@ -1422 +1423 @@
          * @param int $item_id Inform about the item id the cover image was deleted for.
          */
-        do_action( "{$component}_cover_image_deleted", (int) $cover_image_data['item_id'] );
+        do_action( "{$component}_cover_image_deleted", (int) $args['item_id'] );
 
         $response = array(