Ticket #12400: 12400.3.diff
| File 12400.3.diff, 17.3 KB (added by sivel, 2 years ago) |
|---|
-
wp-ajax.php
1 <?php 2 /** 3 * WordPress Primary AJAX Process Execution. 4 * 5 * @package WordPress 6 */ 7 8 /** 9 * Executing AJAX process. 10 * 11 * @since 2.1.0 12 */ 13 define( 'DOING_AJAX', true ); 14 15 if ( ! isset( $_REQUEST['action'] ) ) 16 die( '-1' ); 17 18 if ( ! defined( 'ABSPATH' ) ) 19 require_once( dirname( __FILE__ ) . '/wp-load.php' ); 20 21 if ( defined( 'WP_ADMIN' ) && WP_ADMIN ) 22 require_once( ABSPATH . 'wp-admin/includes/admin.php' ); 23 24 @header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) ); 25 send_nosniff_header(); 26 27 if ( defined( 'WP_ADMIN' ) && WP_ADMIN ) 28 do_action( 'admin_init' ); 29 30 if ( ! is_user_logged_in() ) { 31 if ( !empty( $_REQUEST['action'] ) ) 32 do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); 33 die('-1'); 34 } 35 36 if ( isset( $_REQUEST['action'] ) ) { 37 do_action( 'wp_ajax_' . $_REQUEST['action'] ); 38 die( '0' ); 39 } else { 40 die( '1' ); 41 } 42 ?> -
wp-admin/admin-ajax.php
1 1 <?php 2 2 /** 3 * WordPress AJAX Process Execution .3 * WordPress AJAX Process Execution for admin. 4 4 * 5 5 * @package WordPress 6 6 * @subpackage Administration 7 7 */ 8 9 /**10 * Executing AJAX process.11 *12 * @since 2.1.013 */14 define('DOING_AJAX', true);15 8 define('WP_ADMIN', true); 16 9 17 if ( ! isset( $_REQUEST['action']) )18 die('-1');10 if ( ! defined( 'ABSPATH' ) ) 11 require_once( '../wp-load.php' ); 19 12 20 require_once('../wp-load.php');21 22 require_once('./includes/admin.php');23 @header('Content-Type: text/html; charset=' . get_option('blog_charset'));24 send_nosniff_header();25 26 do_action('admin_init');27 28 13 if ( ! is_user_logged_in() ) { 14 if ( isset( $_POST['action'] ) ) 15 add_action( 'wp_ajax_nopriv_autosave', 'ajax_logged_out_autosave' ); 16 } else { 17 if ( isset( $_GET['action'] ) ) { 18 add_action( 'wp_ajax_fetch-list', 'ajax_fetch_list' ); 19 add_action( 'wp_ajax_ajax-tag-search', 'ajax_tag_search' ); 20 add_action( 'wp_ajax_wp-compression-test', 'ajax_wp_compression_test' ); 21 add_action( 'wp_ajax_imgedit-preview', 'ajax_imgedit_preview' ); 22 add_action( 'wp_ajax_menu-quick-search', 'ajax_menu_quick_search' ); 23 add_action( 'wp_ajax_oembed-cache', 'ajax_oembed_cache' ); 24 } else if ( isset( $_POST['action'] ) ) { 25 add_action( 'wp_ajax_delete-comment', 'ajax_delete_comment' ); 26 add_action( 'wp_ajax_delete-tag', 'ajax_delete_tag' ); 27 add_action( 'wp_ajax_delete-link', 'ajax_delete_link' ); 28 add_action( 'wp_ajax_delete-meta', 'ajax_delete_meta' ); 29 add_action( 'wp_ajax_delete-post', 'ajax_delete_post' ); 30 add_action( 'wp_ajax_trash-post', 'ajax_trash_untrash_post' ); 31 add_action( 'wp_ajax_untrash-post', 'ajax_trash_untrash_post' ); 32 add_action( 'wp_ajax_delete-page', 'ajax_delete_page' ); 33 add_action( 'wp_ajax_dim-comment', 'ajax_dim_comment' ); 34 add_action( 'wp_ajax_add-link-category', 'ajax_add_link_category' ); 35 add_action( 'wp_ajax_add-tag', 'ajax_add_tag' ); 36 add_action( 'wp_ajax_get-tagcloud', 'ajax_get_tagcloud' ); 37 add_action( 'wp_ajax_get-comments', 'ajax_get_comments' ); 38 add_action( 'wp_ajax_replyto-comment', 'ajax_replyto_comment' ); 39 add_action( 'wp_ajax_edit-comment', 'ajax_edit_comment' ); 40 add_action( 'wp_ajax_add-menu-item', 'ajax_add_menu_item' ); 41 add_action( 'wp_ajax_add-meta', 'ajax_add_meta' ); 42 add_action( 'wp_ajax_add-user', 'ajax_add_user' ); 43 add_action( 'wp_ajax_autosave', 'ajax_autosave' ); 44 add_action( 'wp_ajax_closed-postboxes', 'ajax_closed_postboxes' ); 45 add_action( 'wp_ajax_hidden-columns', 'ajax_hidden_columns' ); 46 add_action( 'wp_ajax_menu-get-metabox', 'ajax_menu_get_metabox' ); 47 add_action( 'wp_ajax_menu-quick-search', 'ajax_menu_quick_search' ); 48 add_action( 'wp_ajax_wp-link-ajax', 'ajax_wp_link_ajax' ); 49 add_action( 'wp_ajax_menu-locations-save', 'ajax_menu_locations_save' ); 50 add_action( 'wp_ajax_meta-box-order', 'ajax_meta_box_order' ); 51 add_action( 'wp_ajax_get-permalink', 'ajax_get_permalink' ); 52 add_action( 'wp_ajax_sample-permalink', 'ajax_sample_permalink' ); 53 add_action( 'wp_ajax_inline-save', 'ajax_inline_save' ); 54 add_action( 'wp_ajax_inline-save-tax', 'ajax_inline_save_tax' ); 55 add_action( 'wp_ajax_find_posts', 'ajax_find_posts' ); 56 add_action( 'wp_ajax_widgets-order', 'ajax_widgets_order' ); 57 add_action( 'wp_ajax_save-widget', 'ajax_save_widget' ); 58 add_action( 'wp_ajax_image-editor', 'ajax_image_editor' ); 59 add_action( 'wp_ajax_set-post-thumbnail', 'ajax_set_post_thumbnail' ); 60 add_action( 'wp_ajax_date_format', 'ajax_date_format' ); 61 add_action( 'wp_ajax_time_format', 'ajax_time_format' ); 62 } 63 } 29 64 30 if ( isset( $_POST['action'] ) && $_POST['action'] == 'autosave') {31 65 function ajax_logged_out_autosave() { 66 $id = isset($_POST['post_ID'])? (int) $_POST['post_ID'] : 0; 32 67 33 34 68 if ( ! $id ) 69 die('-1'); 35 70 36 $message = sprintf( __('<strong>ALERT: You are logged out!</strong> Could not save draft. <a href="%s" target="_blank">Please log in again.</a>'), wp_login_url() ); 37 $x = new WP_Ajax_Response( array( 38 'what' => 'autosave', 39 'id' => $id, 40 'data' => $message 41 ) ); 42 $x->send(); 43 } 44 45 if ( !empty( $_REQUEST['action'] ) ) 46 do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ); 47 48 die('-1'); 71 $message = sprintf( __('<strong>ALERT: You are logged out!</strong> Could not save draft. <a href="%s" target="_blank">Please log in again.</a>'), wp_login_url() ); 72 $x = new WP_Ajax_Response( array( 73 'what' => 'autosave', 74 'id' => $id, 75 'data' => $message 76 ) ); 77 $x->send(); 49 78 } 50 79 51 if ( isset( $_GET['action'] ) ) : 52 switch ( $action = $_GET['action'] ) : 53 case 'fetch-list' : 54 80 function ajax_fetch_list() { 55 81 $list_class = $_GET['list_args']['class']; 56 82 check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' ); 57 83 … … 73 99 $wp_list_table->ajax_response(); 74 100 75 101 die( '0' ); 76 break; 77 case 'ajax-tag-search' : 102 } 103 104 function ajax_tag_search() { 78 105 if ( isset( $_GET['tax'] ) ) { 79 106 $taxonomy = sanitize_key( $_GET['tax'] ); 80 107 $tax = get_taxonomy( $taxonomy ); … … 100 127 101 128 echo join( $results, "\n" ); 102 129 die; 103 break; 104 case 'wp-compression-test' : 130 } 131 132 function wp_compression_test() { 105 133 if ( !current_user_can( 'manage_options' ) ) 106 134 die('-1'); 107 135 … … 144 172 } 145 173 146 174 die('0'); 147 break; 148 case 'imgedit-preview' : 175 } 176 177 function ajax_imgedit_preview() { 149 178 $post_id = intval($_GET['postid']); 150 179 if ( empty($post_id) || !current_user_can('edit_post', $post_id) ) 151 180 die('-1'); … … 157 186 die('-1'); 158 187 159 188 die(); 160 break; 161 case 'menu-quick-search': 189 } 190 191 function admin_menu_quick_search() { 162 192 if ( ! current_user_can( 'edit_theme_options' ) ) 163 193 die('-1'); 164 194 … … 167 197 _wp_ajax_menu_quick_search( $_REQUEST ); 168 198 169 199 exit; 170 break; 171 case 'oembed-cache' : 200 } 201 202 function oembed_cache() { 172 203 $return = ( $wp_embed->cache_oembed( $_GET['post'] ) ) ? '1' : '0'; 173 204 die( $return ); 174 break; 175 default : 176 do_action( 'wp_ajax_' . $_GET['action'] ); 177 die('0'); 178 break; 179 endswitch; 180 endif; 205 } 181 206 207 182 208 /** 183 209 * Sends back current comment total and new page links if they need to be updated. 184 210 * … … 316 342 $x->send(); 317 343 } 318 344 319 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 320 switch ( $action = $_POST['action'] ) : 321 case 'delete-comment' : // On success, die with time() instead of 1 345 function ajax_delete_comment() { // On success, die with time() instead of 1 346 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 322 347 if ( !$comment = get_comment( $id ) ) 323 348 die( (string) time() ); 324 349 if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) ) … … 357 382 if ( $r ) // Decide if we need to send back '1' or a more complicated response including page links and comment counts 358 383 _wp_ajax_delete_comment_response( $comment->comment_ID, $delta ); 359 384 die( '0' ); 360 break; 361 case 'delete-tag' : 385 } 386 387 function ajax_delete_tag() { 362 388 $tag_id = (int) $_POST['tag_ID']; 363 389 check_ajax_referer( "delete-tag_$tag_id" ); 364 390 … … 376 402 die('1'); 377 403 else 378 404 die('0'); 379 break; 380 case 'delete-link' : 405 } 406 407 function ajax_delete_link() { 408 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 381 409 check_ajax_referer( "delete-bookmark_$id" ); 382 410 if ( !current_user_can( 'manage_links' ) ) 383 411 die('-1'); … … 390 418 die('1'); 391 419 else 392 420 die('0'); 393 break; 394 case 'delete-meta' : 421 } 422 423 function ajax_delete_meta() { 424 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 395 425 check_ajax_referer( "delete-meta_$id" ); 396 426 if ( !$meta = get_post_meta_by_id( $id ) ) 397 427 die('1'); … … 401 431 if ( delete_meta( $meta->meta_id ) ) 402 432 die('1'); 403 433 die('0'); 404 break; 405 case 'delete-post' : 434 } 435 436 function ajax_delete_post() { 437 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 406 438 check_ajax_referer( "{$action}_$id" ); 407 439 if ( !current_user_can( 'delete_post', $id ) ) 408 440 die('-1'); … … 414 446 die('1'); 415 447 else 416 448 die('0'); 417 break; 418 case 'trash-post' : 419 case 'untrash-post' : 449 } 450 451 function ajax_trash_untrash_post() { 452 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 420 453 check_ajax_referer( "{$action}_$id" ); 421 454 if ( !current_user_can( 'delete_post', $id ) ) 422 455 die('-1'); … … 433 466 die('1'); 434 467 435 468 die('0'); 436 break; 437 case 'delete-page' : 469 } 470 471 function ajax_delete_page() { 472 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 438 473 check_ajax_referer( "{$action}_$id" ); 439 474 if ( !current_user_can( 'delete_page', $id ) ) 440 475 die('-1'); … … 446 481 die('1'); 447 482 else 448 483 die('0'); 449 break; 450 case 'dim-comment' : // On success, die with time() instead of 1 484 } 451 485 486 function ajax_dim_comment() { // On success, die with time() instead of 1 487 $id = isset($_POST['id'])? (int) $_POST['id'] : 0; 452 488 if ( !$comment = get_comment( $id ) ) { 453 489 $x = new WP_Ajax_Response( array( 454 490 'what' => 'comment', … … 481 517 // Decide if we need to send back '1' or a more complicated response including page links and comment counts 482 518 _wp_ajax_delete_comment_response( $comment->comment_ID ); 483 519 die( '0' ); 484 break; 485 case 'add-link-category' : // On the Fly 520 } 521 522 function ajax_add_link_category() { // On the Fly 486 523 check_ajax_referer( $action ); 487 524 if ( !current_user_can( 'manage_categories' ) ) 488 525 die('-1'); … … 506 543 ) ); 507 544 } 508 545 $x->send(); 509 break; 510 case 'add-tag' : 546 } 547 548 function ajax_add_tag() { 511 549 check_ajax_referer( 'add-tag' ); 512 550 $post_type = !empty($_POST['post_type']) ? $_POST['post_type'] : 'post'; 513 551 $taxonomy = !empty($_POST['taxonomy']) ? $_POST['taxonomy'] : 'post_tag'; … … 558 596 'supplemental' => (array) $tag 559 597 ) ); 560 598 $x->send(); 561 break; 562 case 'get-tagcloud' : 599 } 600 601 function ajax_get_tagcloud() { 563 602 if ( isset( $_POST['tax'] ) ) { 564 603 $taxonomy = sanitize_key( $_POST['tax'] ); 565 604 $tax = get_taxonomy( $taxonomy ); … … 593 632 echo $return; 594 633 595 634 exit; 596 break; 597 case 'get-comments' : 635 } 636 637 function ajax_get_comments() { 598 638 check_ajax_referer( $action ); 599 639 600 640 set_current_screen( 'edit-comments' ); … … 623 663 'data' => $comment_list_item 624 664 ) ); 625 665 $x->send(); 626 break; 627 case 'replyto-comment' : 666 } 667 668 function ajax_replyto_comment() { 628 669 check_ajax_referer( $action, '_ajax_nonce-replyto-comment' ); 629 670 630 671 set_current_screen( 'edit-comments' ); … … 693 734 )); 694 735 695 736 $x->send(); 696 break; 697 case 'edit-comment' : 737 } 738 739 function ajax_edit_comment() { 698 740 check_ajax_referer( 'replyto-comment', '_ajax_nonce-replyto-comment' ); 699 741 700 742 set_current_screen( 'edit-comments' ); … … 731 773 )); 732 774 733 775 $x->send(); 734 break; 735 case 'add-menu-item' : 776 } 777 778 function ajax_add_menu_item() { 736 779 if ( ! current_user_can( 'edit_theme_options' ) ) 737 780 die('-1'); 738 781 … … 793 836 ); 794 837 echo walk_nav_menu_tree( $menu_items, 0, (object) $args ); 795 838 } 796 break; 797 case 'add-meta' : 839 } 840 841 function ajax_add_meta() { 798 842 check_ajax_referer( 'add-meta', '_ajax_nonce-add-meta' ); 799 843 $c = 0; 800 844 $pid = (int) $_POST['post_id']; … … 875 919 ) ); 876 920 } 877 921 $x->send(); 878 break; 879 case 'add-user' : 922 } 923 924 function ajax_add_user() { 880 925 check_ajax_referer( $action ); 881 926 if ( !current_user_can('create_users') ) 882 927 die('-1'); … … 903 948 ) 904 949 ) ); 905 950 $x->send(); 906 break; 907 case 'autosave' : // The name of this action is hardcoded in edit_post() 951 } 952 953 function ajax_autosave() { // The name of this action is hardcoded in edit_post() 908 954 define( 'DOING_AUTOSAVE', true ); 909 955 910 956 $nonce_age = check_ajax_referer( 'autosave', 'autosavenonce' ); … … 998 1044 'supplemental' => $supplemental 999 1045 ) ); 1000 1046 $x->send(); 1001 break; 1002 case 'closed-postboxes' : 1047 } 1048 1049 function ajax_closed_postboxes() { 1003 1050 check_ajax_referer( 'closedpostboxes', 'closedpostboxesnonce' ); 1004 1051 $closed = isset( $_POST['closed'] ) ? explode( ',', $_POST['closed']) : array(); 1005 1052 $closed = array_filter($closed); … … 1024 1071 } 1025 1072 1026 1073 die('1'); 1027 break; 1028 case 'hidden-columns' : 1074 } 1075 1076 function ajax_hidden_columns() { 1029 1077 check_ajax_referer( 'screen-options-nonce', 'screenoptionnonce' ); 1030 1078 $hidden = isset( $_POST['hidden'] ) ? $_POST['hidden'] : ''; 1031 1079 $hidden = explode( ',', $_POST['hidden'] ); … … 1041 1089 update_user_option($user->ID, "manage{$page}columnshidden", $hidden, true); 1042 1090 1043 1091 die('1'); 1044 break; 1045 case 'menu-get-metabox' : 1092 } 1093 1094 function ajax_menu_get_metabox() { 1046 1095 if ( ! current_user_can( 'edit_theme_options' ) ) 1047 1096 die('-1'); 1048 1097 … … 1080 1129 } 1081 1130 1082 1131 exit; 1083 break; 1084 case 'menu-quick-search': 1132 } 1133 1134 function ajax_menu_quick_search() { 1085 1135 if ( ! current_user_can( 'edit_theme_options' ) ) 1086 1136 die('-1'); 1087 1137 … … 1090 1140 _wp_ajax_menu_quick_search( $_REQUEST ); 1091 1141 1092 1142 exit; 1093 break; 1094 case 'wp-link-ajax': 1143 } 1144 1145 function ajax_wp_link_ajax() { 1095 1146 require_once ABSPATH . 'wp-admin/includes/internal-linking.php'; 1096 1147 1097 1148 check_ajax_referer( 'internal-linking', '_ajax_linking_nonce' ); … … 1111 1162 echo "\n"; 1112 1163 1113 1164 exit; 1114 break; 1115 case 'menu-locations-save': 1165 } 1166 1167 function ajax_menu_locations_save() { 1116 1168 if ( ! current_user_can( 'edit_theme_options' ) ) 1117 1169 die('-1'); 1118 1170 check_ajax_referer( 'add-menu_item', 'menu-settings-column-nonce' ); … … 1120 1172 die('0'); 1121 1173 set_theme_mod( 'nav_menu_locations', array_map( 'absint', $_POST['menu-locations'] ) ); 1122 1174 die('1'); 1123 break; 1124 case 'meta-box-order': 1175 } 1176 1177 function ajax_meta_box_order() { 1125 1178 check_ajax_referer( 'meta-box-order' ); 1126 1179 $order = isset( $_POST['order'] ) ? (array) $_POST['order'] : false; 1127 1180 $page_columns = isset( $_POST['page_columns'] ) ? (int) $_POST['page_columns'] : 0; … … 1140 1193 update_user_option($user->ID, "screen_layout_$page", $page_columns, true); 1141 1194 1142 1195 die('1'); 1143 break; 1144 case 'get-permalink': 1196 } 1197 1198 function ajax_get_permalink() { 1145 1199 check_ajax_referer( 'getpermalink', 'getpermalinknonce' ); 1146 1200 $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0; 1147 1201 die(add_query_arg(array('preview' => 'true'), get_permalink($post_id))); 1148 break; 1149 case 'sample-permalink': 1202 } 1203 1204 function ajax_sample_permalink() { 1150 1205 check_ajax_referer( 'samplepermalink', 'samplepermalinknonce' ); 1151 1206 $post_id = isset($_POST['post_id'])? intval($_POST['post_id']) : 0; 1152 1207 $title = isset($_POST['new_title'])? $_POST['new_title'] : ''; 1153 1208 $slug = isset($_POST['new_slug'])? $_POST['new_slug'] : null; 1154 1209 die(get_sample_permalink_html($post_id, $title, $slug)); 1155 break; 1156 case 'inline-save': 1210 } 1211 1212 function ajax_inline_save() { 1157 1213 check_ajax_referer( 'inlineeditnonce', '_inline_edit' ); 1158 1214 1159 1215 if ( ! isset($_POST['post_ID']) || ! ( $post_ID = (int) $_POST['post_ID'] ) ) … … 1210 1266 $wp_list_table->display_rows( array( get_post( $_POST['post_ID'] ) ) ); 1211 1267 1212 1268 exit; 1213 break; 1214 case 'inline-save-tax': 1269 } 1270 1271 function ajax_inline_save_tax() { 1215 1272 check_ajax_referer( 'taxinlineeditnonce', '_inline_edit' ); 1216 1273 1217 1274 $taxonomy = sanitize_key( $_POST['taxonomy'] ); … … 1249 1306 } 1250 1307 1251 1308 exit; 1252 break; 1253 case 'find_posts': 1309 } 1310 1311 function ajax_find_posts() { 1254 1312 check_ajax_referer( 'find-posts' ); 1255 1313 1256 1314 if ( empty($_POST['ps']) ) … … 1319 1377 'data' => $html 1320 1378 )); 1321 1379 $x->send(); 1380 } 1322 1381 1323 break; 1324 case 'widgets-order' : 1382 function ajax_widgets_order() { 1325 1383 check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' ); 1326 1384 1327 1385 if ( !current_user_can('edit_theme_options') ) … … 1350 1408 } 1351 1409 1352 1410 die('-1'); 1353 break; 1354 case 'save-widget' : 1411 } 1412 1413 function ajax_save_widget() { 1355 1414 check_ajax_referer( 'save-sidebar-widgets', 'savewidgets' ); 1356 1415 1357 1416 if ( !current_user_can('edit_theme_options') || !isset($_POST['id_base']) ) … … 1418 1477 call_user_func_array( $form['callback'], $form['params'] ); 1419 1478 1420 1479 die(); 1421 break; 1422 case 'image-editor': 1480 } 1481 1482 function ajax_image_editor() { 1423 1483 $attachment_id = intval($_POST['postid']); 1424 1484 if ( empty($attachment_id) || !current_user_can('edit_post', $attachment_id) ) 1425 1485 die('-1'); … … 1444 1504 1445 1505 wp_image_editor($attachment_id, $msg); 1446 1506 die(); 1447 break; 1448 case 'set-post-thumbnail': 1507 } 1508 1509 function ajax_set_post_thumbnail() { 1449 1510 $post_ID = intval( $_POST['post_id'] ); 1450 1511 if ( !current_user_can( 'edit_post', $post_ID ) ) 1451 1512 die( '-1' ); … … 1461 1522 if ( set_post_thumbnail( $post_ID, $thumbnail_id ) ) 1462 1523 die( _wp_post_thumbnail_html( $thumbnail_id ) ); 1463 1524 die( '0' ); 1464 break; 1465 case 'date_format' : 1525 } 1526 1527 function ajax_date_format() { 1466 1528 die( date_i18n( sanitize_option( 'date_format', $_POST['date'] ) ) ); 1467 break; 1468 case 'time_format' : 1529 } 1530 1531 function ajax_time_format() { 1469 1532 die( date_i18n( sanitize_option( 'time_format', $_POST['date'] ) ) ); 1470 break; 1471 default : 1472 do_action( 'wp_ajax_' . $_POST['action'] ); 1473 die('0'); 1474 break; 1475 endswitch; 1533 } 1534 1535 include( '../wp-ajax.php' ); 1476 1536 ?>
