kraftner
commented
8 years ago Concerning the multi-uploader the nonce to check this is actually coming from the profile page should probably go somewhere in AvatarRegisterMetaService
Open kraftner opened 8 years ago
kraftner
commented
8 years ago Concerning the multi-uploader the nonce to check this is actually coming from the profile page should probably go somewhere in AvatarRegisterMetaService
kraftner
commented
8 years ago The more I think about this the less I'm sure this should be handled by this plugin, but rather just a section in Readme on how to implement this. Reason is that we'd be messing with upload permissions which is a pretty serious thing.
Currently the plugin checks for
upload_fileseverywhere. Also when using the multi-uploader everything sits on top ofwp-admin/async-upload.phpwhich also checks for this permission.So to make this work we'd need to find a safe way to enable that. Especially for
async-upload.phpthis also needs to make sure that we only enable the upload for the avatar and not for everything. Maybe something like a nonce (a real one, not a WP nonce).Also this would probably be the point where we should really have some central helpers to determine these kind of things. See #37.