Ask your WordPress questions! Pay money and get answers fast! Comodo Trusted Site Seal
Official PayPal Seal

Wordpress MU and Media Uploader issue WordPress


I have WP MU (subdomain setup) and I have a page on main domain from where all blog admins can update/manage their pages/posts. so it looks like: On that page I am check if user is blog admin and I am gathering infos I need and doing this:

wp_enqueue_media( array( 'post' => $post_id ) );
wp_editor( $post_content, 'post_content', $settings = array(textarea_rows => 15, media_buttons => true) );

$userblog_id is actually ID of the blog that user is assigned to.
$post_id is ID of the post that user is editing on member page.

Now when blog admin clicks on Upload Media button it shows media upload popup, but the media gallery is always empty and when admin tried to upload something it is always failing with this error "HTTP Error."

I saw that is called when I click Add Media button and that json response is: {"success":false}

Now when I am logged in as superadmin - it works properly and it's storing media to my MainDomain site...

...Forgot to mention when I go to the site dashboard for that blog ( and click Add media button - admin-ajax.php response is : {"wp-auth-check":true,"wp-refresh-post-lock":{"new_lock":"1386087028:4"},"server_time":1386087028}

So obviously even if I am logged in as blog admin on main site - I am not getting authenticated as blog admin when ajax request is run on ? Is there a work-around ?

Answers (1)


akhilesh singh answers:

try to add this in your htaccess file
# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

peterbra comments:

I've tried that, and among others in htaccess:
Header append x-frame-options "ALLOW-FROM *"

in functions:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
header('Access-Control-Max-Age: 1000');
header('Access-Control-Allow-Headers: Content-Type');

...but thing is this is WP ajax authentication cross-domain issue and I just have no idea how it can be solved without compromising security.

To explain it better:
When I am logged in as admin of a blog (not superadmin) -> since everything is done from main site (even login part) I am logged in properly as blog admin and everything from works OK and I am logged in when I go to that pages, but my blog users won't have access to wp-admin part directly - all settings they will do ( and all is set up and working except of media upload) they are doing from page... now from that page I am calling different functions that are handling post/page creation and delete and profile setup etc... Only issue I have is media upload as admin of the blog (when doing stuff from main site) is authenticated like this:

WP_User Object
[data] => stdClass Object
[ID] => 4
[user_login] => testuser
[user_nicename] => testuser
[user_email] => [email protected]
[user_url] =>
[user_registered] => 2013-12-03 07:15:09
[user_activation_key] =>
[user_status] => 0
[display_name] => testuser
[spam] => 0
[deleted] => 0

[ID] => 4
[caps] => Array

[cap_key] => wp_capabilities
[roles] => Array

[allcaps] => Array

[filter] =>

So as you may see this is on main site how current user details look like .... and obviously it has no capabilities... now I don't know how to explain to " WP Media Uploader" that user is OK and that he is actually admin of that particular blog ( remember I used switch_to_blog($userblog_id); ) , but obviously switch_to_blog() doesn't work as expected when media uploader is run on so I really need work around for that....

akhilesh singh comments:

ok add_cap function can help in this try to add this code in your theme function file, put at the end of file.

if ( current_user_can('administrator') && !current_user_can('upload_files') )
{ add_action('admin_init', 'allow_uploads');

function allow_uploads() {

$contributor = get_role('administrator');



please test this with following user also

peterbra comments:

Ok, I did it but this didn't do anything... I tried even
if ( !current_user_can('upload_files') ) .... and rest of code....

the thing is - it's AJAX cross domain issue and when Media Uploader pops out it sends it's own "domain origin" independently, so it's always going to be conflict and uploads will fail... So I just need to "trick" Media Uploader that user is calling Media Uploader from his domain and in this case it will be even if he is actually on - MediaUploader has to think that it was called from