[wp-hackers] Removing admin-ajax.php hacks

Nicolas Kuttler wp-hackers at nicolaskuttler.de
Thu Jul 1 11:53:24 UTC 2010


Am I missing something? Why don't you simply download wordpress and take the current ajax handler?

Modifying the handler itelf is kind of pointless as you can check user capabilities inside your ajax action...

Nicolas

On Wed, Jun 30, 2010 at 05:27:17PM -0500, Shelby, Harper wrote:
> I've been asked to remove some hacks to an exisiting WPMU installation, and the one that's causing me the most grief are the edits to admin-ajax.php. The previous maintainer altered the security checks on several activities, changing
> 
>     if ( !current_user_can( 'edit_post', $pid ) )
> 
> to
> 
>     if ( !current_user_can( 'edit_post', $pid ) && !current_user_can( 'moderate_comments' ) )
> 
> I have been digging quite a bit, but can't seem to find a way to alter the admin-ajax.php scripts in the correct manner. The goal of the customization was to allow a "Comment Moderator" role that could moderate comments, but not edit blog posts (somewhat obvious, but I thought I'd spell it out). The role was created using Capability Manager, but these hacks were added to the ajax to allow the role to work as intended.
> 
> Any guidance on the right way to remove this customization would be greatly appreciated.
> 
> 
> Thanks,
> 
> Harper Shelby
> Pariveda Solutions
>  4203 Montrose | Suite 100 | Houston, Texas 77006
>  (F) 713.520.4290 | (M) 281.520.2817
> The Business of IT(r)
> www.parivedasolutions.com<http://www.parivedasolutions.com/>
> 
> 
> ________________________________
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 


--
Nicolas Kuttler
wp at nkuttler.de

http://www.nkuttler.de
http://www.nicolaskuttler.de (deutsch)


More information about the wp-hackers mailing list