wp_ajax_upload_attachment() WordPress Function

The wp_ajax_upload_attachment() function is used to upload an attachment file to a WordPress site. This function is called via an AJAX request from the media uploader.

wp_ajax_upload_attachment() #

Ajax handler for uploading attachments

Contents

Source

File: wp-admin/includes/ajax-actions.php

function wp_ajax_upload_attachment() {
	check_ajax_referer( 'media-form' );
	/*
	 * This function does not use wp_send_json_success() / wp_send_json_error()
	 * as the html4 Plupload handler requires a text/html content-type for older IE.
	 * See https://core.trac.wordpress.org/ticket/31037
	 */

	if ( ! current_user_can( 'upload_files' ) ) {
		echo wp_json_encode(
			array(
				'success' => false,
				'data'    => array(
					'message'  => __( 'Sorry, you are not allowed to upload files.' ),
					'filename' => esc_html( $_FILES['async-upload']['name'] ),
				),
			)
		);

		wp_die();
	}

	if ( isset( $_REQUEST['post_id'] ) ) {
		$post_id = $_REQUEST['post_id'];

		if ( ! current_user_can( 'edit_post', $post_id ) ) {
			echo wp_json_encode(
				array(
					'success' => false,
					'data'    => array(
						'message'  => __( 'Sorry, you are not allowed to attach files to this post.' ),
						'filename' => esc_html( $_FILES['async-upload']['name'] ),
					),
				)
			);

			wp_die();
		}
	} else {
		$post_id = null;
	}

	$post_data = ! empty( $_REQUEST['post_data'] ) ? _wp_get_allowed_postdata( _wp_translate_postdata( false, (array) $_REQUEST['post_data'] ) ) : array();

	if ( is_wp_error( $post_data ) ) {
		wp_die( $post_data->get_error_message() );
	}

	// If the context is custom header or background, make sure the uploaded file is an image.
	if ( isset( $post_data['context'] ) && in_array( $post_data['context'], array( 'custom-header', 'custom-background' ), true ) ) {
		$wp_filetype = wp_check_filetype_and_ext( $_FILES['async-upload']['tmp_name'], $_FILES['async-upload']['name'] );

		if ( ! wp_match_mime_types( 'image', $wp_filetype['type'] ) ) {
			echo wp_json_encode(
				array(
					'success' => false,
					'data'    => array(
						'message'  => __( 'The uploaded file is not a valid image. Please try again.' ),
						'filename' => esc_html( $_FILES['async-upload']['name'] ),
					),
				)
			);

			wp_die();
		}
	}

	$attachment_id = media_handle_upload( 'async-upload', $post_id, $post_data );

	if ( is_wp_error( $attachment_id ) ) {
		echo wp_json_encode(
			array(
				'success' => false,
				'data'    => array(
					'message'  => $attachment_id->get_error_message(),
					'filename' => esc_html( $_FILES['async-upload']['name'] ),
				),
			)
		);

		wp_die();
	}

	if ( isset( $post_data['context'] ) && isset( $post_data['theme'] ) ) {
		if ( 'custom-background' === $post_data['context'] ) {
			update_post_meta( $attachment_id, '_wp_attachment_is_custom_background', $post_data['theme'] );
		}

		if ( 'custom-header' === $post_data['context'] ) {
			update_post_meta( $attachment_id, '_wp_attachment_is_custom_header', $post_data['theme'] );
		}
	}

	$attachment = wp_prepare_attachment_for_js( $attachment_id );
	if ( ! $attachment ) {
		wp_die();
	}

	echo wp_json_encode(
		array(
			'success' => true,
			'data'    => $attachment,
		)
	);

	wp_die();
}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-admin/includes/post.php:_wp_get_allowed_postdata()

Returns only allowed post data fields.

wp-includes/functions.php:wp_json_encode()

Encode a variable into JSON, with some sanity checks.

wp-admin/includes/media.php:media_handle_upload()

Saves a file submitted from a POST request and create an attachment post for it.

wp-admin/includes/post.php:_wp_translate_postdata()

Renames $_POST data from form names to DB post columns.

wp-includes/capabilities.php:current_user_can()

Returns whether the current user has the specified capability.

wp-includes/l10n.php:__()

Retrieve the translation of $text.

wp-includes/formatting.php:esc_html()

Escaping for HTML blocks.

wp-includes/pluggable.php:check_ajax_referer()

Verifies the Ajax request to prevent processing requests external of the blog.

wp-includes/functions.php:wp_die()

Kills WordPress execution and displays HTML page with an error message.

wp-includes/functions.php:wp_check_filetype_and_ext()

Attempt to determine the real file type of a file.

wp-includes/media.php:wp_prepare_attachment_for_js()

Prepares an attachment post object for JS, where it is expected to be JSON-encoded and fit into an Attachment model.

wp-includes/post.php:wp_match_mime_types()

Check a MIME-Type against a list.

wp-includes/post.php:update_post_meta()

Updates a post meta field based on the given post ID.

wp-includes/load.php:is_wp_error()

Checks whether the given variable is a WordPress Error.

Show 9 more usesHide more uses

Top ↑

Changelog

Changelog
VersionDescription
3.3.0Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.