summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/jetpack/modules/contact-form/admin.php')
-rw-r--r--plugins/jetpack/modules/contact-form/admin.php14
1 files changed, 13 insertions, 1 deletions
diff --git a/plugins/jetpack/modules/contact-form/admin.php b/plugins/jetpack/modules/contact-form/admin.php
index 834c95c1..24329bcc 100644
--- a/plugins/jetpack/modules/contact-form/admin.php
+++ b/plugins/jetpack/modules/contact-form/admin.php
@@ -26,7 +26,9 @@ function grunion_media_button( ) {
add_action( 'wp_ajax_grunion_form_builder', 'grunion_display_form_view' );
function grunion_display_form_view() {
- require_once GRUNION_PLUGIN_DIR . 'grunion-form-view.php';
+ if ( current_user_can( 'edit_posts' ) ) {
+ require_once GRUNION_PLUGIN_DIR . 'grunion-form-view.php';
+ }
exit;
}
@@ -507,6 +509,10 @@ function grunion_sort_objects( $a, $b ) {
function grunion_ajax_shortcode() {
check_ajax_referer( 'grunion_shortcode' );
+ if ( ! current_user_can( 'edit_posts' ) ) {
+ die( '-1' );
+ }
+
$attributes = array();
foreach ( array( 'subject', 'to' ) as $attribute ) {
@@ -550,6 +556,12 @@ function grunion_ajax_shortcode_to_json() {
check_ajax_referer( 'grunion_shortcode_to_json' );
+ if ( ! empty( $_POST['post_id'] ) && ! current_user_can( 'edit_post', $_POST['post_id'] ) ) {
+ die( '-1' );
+ } elseif ( ! current_user_can( 'edit_posts' ) ) {
+ die( '-1' );
+ }
+
if ( !isset( $_POST['content'] ) || !is_numeric( $_POST['post_id'] ) ) {
die( '-1' );
}