W3cubDocs

/WordPress

wp_ajax_upload_attachment()

Ajax handler for uploading attachments

Source

File: wp-admin/includes/ajax-actions.php 

function wp_ajax_upload_attachment() {
	check_ajax_referer( 'media-form' );
	/*
	 * This function does not use wp_send_json_success() / wp_send_json_error()
	 * as the html4 Plupload handler requires a text/html content-type for older IE.
	 * See https://core.trac.wordpress.org/ticket/31037
	 */

	if ( ! current_user_can( 'upload_files' ) ) {
		echo wp_json_encode(
			array(
				'success' => false,
				'data'    => array(
					'message'  => __( 'Sorry, you are not allowed to upload files.' ),
					'filename' => esc_html( $_FILES['async-upload']['name'] ),
				),
			)
		);

		wp_die();
	}

	if ( isset( $_REQUEST['post_id'] ) ) {
		$post_id = $_REQUEST['post_id'];

		if ( ! current_user_can( 'edit_post', $post_id ) ) {
			echo wp_json_encode(
				array(
					'success' => false,
					'data'    => array(
						'message'  => __( 'Sorry, you are not allowed to attach files to this post.' ),
						'filename' => esc_html( $_FILES['async-upload']['name'] ),
					),
				)
			);

			wp_die();
		}
	} else {
		$post_id = null;
	}

	$post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();

	if ( is_wp_error( $post_data ) ) {
		wp_die( $post_data->get_error_message() );
	}

	// If the context is custom header or background, make sure the uploaded file is an image.
	if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ), true ) ) {
		$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'] );

		if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) {
			echo wp_json_encode(
				array(
					'success' => false,
					'data'    => array(
						'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
						'filename' => esc_html( $_FILES['async-upload']['name'] ),
					),
				)
			);

			wp_die();
		}
	}

	$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );

	if ( is_wp_error( $attachment_id ) ) {
		echo wp_json_encode(
			array(
				'success' => false,
				'data'    => array(
					'message'  => $attachment_id->get_error_message(),
					'filename' => esc_html( $_FILES['async-upload']['name'] ),
				),
			)
		);

		wp_die();
	}

	if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) {
		if ( 'custom-background' === $post_data['context'] ) {
			update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
		}

		if ( 'custom-header' === $post_data['context'] ) {
			update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
		}
	}

	$attachment = wp_prepare_attachment_for_js( $attachment_id );
	if ( ! $attachment ) {
		wp_die();
	}

	echo wp_json_encode(
		array(
			'success' => true,
			'data'    => $attachment,
		)
	);

	wp_die();
}

Uses

Uses Description
wp-admin/includes/post.php: _wp_get_allowed_postdata()

Returns only allowed post data fields
wp-includes/functions.php: wp_json_encode()

Encode a variable into JSON, with some sanity checks.
wp-admin/includes/media.php: media_handle_upload()

Saves a file submitted from a POST request and create an attachment post for it.
wp-admin/includes/post.php: _wp_translate_postdata()

Rename $_POST data from form names to DB post columns.
wp-includes/capabilities.php: current_user_can()

Returns whether the current user has the specified capability.
wp-includes/l10n.php: __()

Retrieve the translation of $text.
wp-includes/formatting.php: esc_html()

Escaping for HTML blocks.
wp-includes/pluggable.php: check_ajax_referer()

Verifies the Ajax request to prevent processing requests external of the blog.
wp-includes/functions.php: wp_die()

Kills WordPress execution and displays HTML page with an error message.
wp-includes/functions.php: wp_check_filetype_and_ext()

Attempt to determine the real file type of a file.
wp-includes/media.php: wp_prepare_attachment_for_js()

Prepares an attachment post object for JS, where it is expected to be JSON-encoded and fit into an Attachment model.
wp-includes/post.php: wp_match_mime_types()

Check a MIME-Type against a list.
wp-includes/post.php: update_post_meta()

Updates a post meta field based on the given post ID.
wp-includes/load.php: is_wp_error()

Check whether variable is a WordPress Error.

Changelog

Version Description
3.3.0 Introduced.

© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/wp_ajax_upload_attachment