From b14333aed81260432a41e07c4919d5d5d6d31a69 Mon Sep 17 00:00:00 2001
From: Aleksandar Atanasov <aatanasovdev@gmail.com>
Date: Thu, 5 Feb 2026 09:52:40 +0200
Subject: [PATCH] Improve down_sync_asset

---
 php/class-media.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/php/class-media.php b/php/class-media.php
index a20a89d9..8b77c5f1 100644
--- a/php/class-media.php
+++ b/php/class-media.php
@@ -2285,8 +2285,7 @@ function ( $value, $key ) use ( &$asset ) {
 	 */
 	public function down_sync_asset() {
 		$nonce = Utils::get_sanitized_text( 'nonce', INPUT_POST );
-		if ( wp_verify_nonce( $nonce, 'wp_rest' ) ) {
-
+		if ( is_user_logged_in() && wp_verify_nonce( $nonce, 'wp_rest' ) && current_user_can( 'upload_files' ) ) {
 			$asset = $this->get_asset_payload();
 			// Set a base array for pulling an asset if needed.
 			$base_return = array(