This plugin prevents unprivileged users to see images, that other users uploaded:
add_filter('parse_query', 'own_content_only_restriction' );
function own_content_only_restriction( $wp_query ) {
if ( !current_user_can( 'see_others_media' ) ) {
if ( strpos( $_SERVER[ 'REQUEST_URI' ], '/wp-admin/upload.php' ) !== false
|| strpos( $_SERVER[ 'REQUEST_URI' ], '/wp-admin/admin-ajax.php' ) !== false
|| strpos( $_SERVER[ 'REQUEST_URI' ], '/wp-admin/edit.php' ) !== false ) {
global $current_user;
$wp_query->set( 'author', $current_user->ID );
}
}
}
It can be bypassed though, if the user goes to the detail view of one of his images, for example /wp-admin/upload.php?item=608 and then just enters a different valid item ID. How can I change the plugin code to even prevent this?
Aucun commentaire:
Enregistrer un commentaire