wp_ajax_upload_attachment()

Ajax handler for uploading attachments

Source

File: wp-admin/includes/ajax-actions.php 

function wp_ajax_upload_attachment() {
	check_ajax_referer( 'media-form' );
	/*
	 * This function does not use wp_send_json_success() / wp_send_json_error()
	 * as the html4 Plupload handler requires a text/html content-type for older IE.
	 * See https://core.trac.wordpress.org/ticket/31037
	 */

	if ( ! current_user_can( 'upload_files' ) ) {
		echo wp_json_encode( array(
			'success' => false,
			'data'    => array(
				'message'  => __( 'Sorry, you are not allowed to upload files.' ),
				'filename' => esc_html( $_FILES['async-upload']['name'] ),
			)
		) );

		wp_die();
	}

	if ( isset( $_REQUEST['post_id'] ) ) {
		$post_id = $_REQUEST['post_id'];
		if ( ! current_user_can( 'edit_post', $post_id ) ) {
			echo wp_json_encode( array(
				'success' => false,
				'data'    => array(
					'message'  => __( 'Sorry, you are not allowed to attach files to this post.' ),
					'filename' => esc_html( $_FILES['async-upload']['name'] ),
				)
			) );

			wp_die();
		}
	} else {
		$post_id = null;
	}

	$post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();

	if ( is_wp_error( $post_data ) ) {
		wp_die( $post_data->get_error_message() );
	}

	// If the context is custom header or background, make sure the uploaded file is an image.
	if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ) ) ) {
		$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'] );
		if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) {
			echo wp_json_encode( array(
				'success' => false,
				'data'    => array(
					'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
					'filename' => esc_html( $_FILES['async-upload']['name'] ),
				)
			) );

			wp_die();
		}
	}

	$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );

	if ( is_wp_error( $attachment_id ) ) {
		echo wp_json_encode( array(
			'success' => false,
			'data'    => array(
				'message'  => $attachment_id->get_error_message(),
				'filename' => esc_html( $_FILES['async-upload']['name'] ),
			)
		) );

		wp_die();
	}

	if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) {
		if ( 'custom-background' === $post_data['context'] )
			update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );

		if ( 'custom-header' === $post_data['context'] )
			update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
	}

	if ( ! $attachment = wp_prepare_attachment_for_js( $attachment_id ) )
		wp_die();

	echo wp_json_encode( array(
		'success' => true,
		'data'    => $attachment,
	) );

	wp_die();
}

Expand Source Code View on GitHub

Related

Uses

Uses
Uses Description
wp-includes/media.php: wp_prepare_attachment_for_js()

Prepares an attachment post object for JS, where it is expected to be JSON-encoded and fit into an Attachment model.
wp-includes/l10n.php: __()

Retrieve the translation of $text.
wp-includes/pluggable.php: check_ajax_referer()

Verifies the Ajax request to prevent processing requests external of the blog.
wp-includes/capabilities.php: current_user_can()

Whether the current user has a specific capability.
wp-includes/post.php: wp_match_mime_types()

Check a MIME-Type against a list.
wp-includes/post.php: update_post_meta()

Update post meta field based on post ID.
wp-includes/formatting.php: esc_html()

Escaping for HTML blocks.
wp-includes/load.php: is_wp_error()

Check whether variable is a ClassicPress Error.
wp-includes/functions.php: wp_json_encode()

Encode a variable into JSON, with some sanity checks.
wp-includes/functions.php: wp_die()

Kill ClassicPress execution and display HTML message with error message.
wp-includes/functions.php: wp_check_filetype_and_ext()

Attempt to determine the real file type of a file.
wp-admin/includes/media.php: media_handle_upload()

Save a file submitted from a POST request and create an attachment post for it.
wp-admin/includes/post.php: _wp_get_allowed_postdata()

Applies a blacklist to post data fields used in editing functions.
wp-admin/includes/post.php: _wp_translate_postdata()

Rename $_POST data from form names to DB post columns.
Show 9 more uses Hide more uses

Changelog

Changelog
Version Description
WP-3.3.0 Introduced.