Bug #24201
openError uploading images on event calendar
0%
Description
Hi,
I get an error when trying to upload a featured image for an event in the events calendar: "Sorry, you are not allowed to upload files."
See screenshot.
Files
Updated by Laurie Hurson 2 days ago
- Subject changed from Error upload images on event calendar to Error uploading images on event calendar
Updated by Laurie Hurson 2 days ago
correct screenshot
Updated by Boone Gorges 2 days ago
- Assignee set to Raymond Hoh
Thanks for the screenshot, Laurie.
Ray, the 'upload_files' cap is supposed to be granted by bpeo_map_upload_files_meta_cap(). See https://github.com/cuny-academic-commons/bp-event-organiser/issues/17, https://github.com/cuny-academic-commons/bp-event-organiser/commit/2b704acc744e4983e73cec834cc865561bd15766. The bpeo_is_action() checks are failing - bp_current_component() and action are returning nothing during async-upload.php. I'm assuming this is due to changes in BP 12; I have some recollection that BP used to backfill these values in the case of AJAX requests, but this may no longer happen. Do you have thoughts about how best to fix it? We could look at HTTP_REFERER, but that's a bit error-prone and is subject to spoofing. Another idea is to add a new nonce field to the AJAX request and to use that as a way of indicating that it came from the front-end AJAX request, but I don't know how/whether we can hook into WP's JS call to async-upload.php to ensure that this custom value is included. What do you think?
Updated by Raymond Hoh 1 day ago
- Category name set to Events
- Status changed from New to Staged for Production Release
- Target version set to 2.6.5
I'm assuming this is due to changes in BP 12; I have some recollection that BP used to backfill these values in the case of AJAX requests, but this may no longer happen.
That's correct. The backfilling only happens once you've registered the particular AJAX action with BuddyPress. (See prior commits like https://github.com/cuny-academic-commons/cac/commit/f42c6caefeff195c792959b6812b108a1746f0c9.) I tried to do the same thing here with bp_ajax_register_action( 'upload-attachment' ), but BuddyPress's current action doesn't appear to be correct. Something is wonky with the AJAX global backfilling with BuddyPress, but I haven't dived deep enough into BP's internals to figure out what the problem is yet.
Anyway the BuddyPress backfilling relies on parsing the referer and as you mention, Boone, this is not reliable. So instead, I've added some code during BP Event Organiser's 'upload_files' meta cap check to see if the 'upload-attachment' or 'query-attachments' AJAX actions are occurring. If they are, double-check to see if the current post is for the 'event' post type. If that passes and if we're on the upload action, double-check the 'media-form' nonce and once that passes, allow uploading to occur. See https://github.com/cuny-academic-commons/bp-event-organiser/commit/c7440d9f48b4d1b3f66f5ec68c1f027b9113d0a7. I've pushed the change to 2.6.x branch and also to production.
Laurie, can you test adding a featured image to an event to see if it works?
Updated by Boone Gorges 29 minutes ago
Thanks, Ray! Your fix looks perfect to me.