Ticket #20876: 20876.2.diff
| File 20876.2.diff, 14.8 KB (added by , 14 years ago) |
|---|
-
wp-login.php
82 82 $login_header_url = apply_filters( 'login_headerurl', $login_header_url ); 83 83 $login_header_title = apply_filters( 'login_headertitle', $login_header_title ); 84 84 85 // Don't allow interim logins to navigate away from the page. 86 if ( $interim_login ) 87 $login_header_url = '#'; 88 85 89 ?> 86 90 </head> 87 91 <body class="login<?php if ( wp_is_mobile() ) echo ' mobile'; ?>"> … … 126 130 * @param string $input_id Which input to auto-focus 127 131 */ 128 132 function login_footer($input_id = '') { 129 ?> 133 global $interim_login; 134 135 // Don't allow interim logins to navigate away from the page. 136 if ( ! $interim_login ): ?> 130 137 <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '← Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p> 138 <?php endif; ?> 139 131 140 </div> 132 141 133 142 <?php if ( !empty($input_id) ) : ?> … … 555 564 default: 556 565 $secure_cookie = ''; 557 566 $interim_login = isset($_REQUEST['interim-login']); 567 $customize_login = isset( $_REQUEST['customize-login'] ); 568 if ( $customize_login ) 569 wp_enqueue_script( 'customize-base' ); 558 570 559 571 // If the user wants ssl but the session is not ssl, force a secure cookie. 560 572 if ( !empty($_POST['log']) && !force_ssl_admin() ) { … … 592 604 if ( $interim_login ) { 593 605 $message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; 594 606 login_header( '', $message ); ?> 607 608 <?php if ( ! $customize_login ) : ?> 595 609 <script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script> 596 610 <p class="alignright"> 597 611 <input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p> 598 </div></body></html> 612 <?php endif; ?> 613 </div> 614 <?php do_action( 'login_footer' ); ?> 615 <?php if ( $customize_login ) : ?> 616 <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> 617 <?php endif; ?> 618 </body></html> 599 619 <?php exit; 600 620 } 601 621 … … 666 686 <?php } else { ?> 667 687 <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" /> 668 688 <?php } ?> 689 <?php if ( $customize_login ) : ?> 690 <input type="hidden" name="customize-login" value="1" /> 691 <?php endif; ?> 669 692 <input type="hidden" name="testcookie" value="1" /> 670 693 </p> 671 694 </form> -
wp-includes/class-wp-customize-manager.php
17 17 protected $sections = array(); 18 18 protected $controls = array(); 19 19 20 protected $nonce_tick; 21 20 22 protected $customized; 21 23 22 24 private $_post_values; … … 31 33 require( ABSPATH . WPINC . '/class-wp-customize-section.php' ); 32 34 require( ABSPATH . WPINC . '/class-wp-customize-control.php' ); 33 35 36 add_filter( 'wp_die_handler', array( $this, 'wp_die_handler' ) ); 37 34 38 add_action( 'setup_theme', array( $this, 'setup_theme' ) ); 35 39 add_action( 'wp_loaded', array( $this, 'wp_loaded' ) ); 36 40 … … 53 57 } 54 58 55 59 /** 60 * Return true if it's an AJAX request. 61 * 62 * @since 3.4.0 63 */ 64 public function doing_ajax() { 65 return isset( $_POST['customized'] ) || ( defined( 'DOING_AJAX' ) && DOING_AJAX ); 66 } 67 68 /** 69 * Custom wp_die wrapper. Returns either the standard message for UI 70 * or the AJAX message. 71 * 72 * @param mixed $ajax_message AJAX return 73 * @param mixed $message UI message 74 * 75 * @since 3.4.0 76 */ 77 private function wp_die( $ajax_message, $message ) { 78 if ( $this->doing_ajax() ) 79 wp_die( $ajax_message ); 80 81 wp_die( $message ); 82 } 83 84 /** 85 * Return the AJAX wp_die() handler if it's a customized request. 86 * 87 * @since 3.4.0 88 */ 89 public function wp_die_handler() { 90 if ( $this->doing_ajax() ) 91 return '_ajax_wp_die_handler'; 92 93 return '_default_wp_die_handler'; 94 } 95 96 /** 56 97 * Start preview and customize theme. 57 98 * 58 99 * Check if customize query variable exist. Init filters to filter the current theme. … … 60 101 * @since 3.4.0 61 102 */ 62 103 public function setup_theme() { 63 if ( is_admin() && ! defined( 'DOING_AJAX' ) ) 64 auth_redirect(); 104 if ( is_admin() && ! $this->doing_ajax() ) 105 auth_redirect(); 106 elseif ( $this->doing_ajax() && ! is_user_logged_in() ) 107 wp_die( 0 ); 65 108 66 109 send_origin_headers(); 67 110 … … 71 114 72 115 // You can't preview a theme if it doesn't exist, or if it is not allowed (unless active). 73 116 if ( ! $this->theme->exists() ) 74 wp_die(__( 'Cheatin’ uh?' ) );117 $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); 75 118 76 119 if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) ) 77 wp_die(__( 'Cheatin’ uh?' ) );120 $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); 78 121 79 122 if ( ! current_user_can( 'edit_theme_options' ) ) 80 wp_die(__( 'Cheatin’ uh?' ) );123 $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); 81 124 125 82 126 $this->start_previewing_theme(); 83 127 show_admin_bar( false ); 84 128 } … … 245 289 * @since 3.4.0 246 290 */ 247 291 public function customize_preview_init() { 292 $this->nonce_tick = check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce' ); 293 248 294 $this->prepare_controls(); 249 295 250 296 wp_enqueue_script( 'customize-preview' ); … … 300 346 'backgroundImageHasDefault' => current_theme_supports( 'custom-background', 'default-image' ), 301 347 ); 302 348 349 if ( 2 == $this->nonce_tick ) { 350 $settings['nonce'] = array( 351 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ), 352 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ) 353 ); 354 } 355 303 356 foreach ( $this->settings as $id => $setting ) { 304 357 $settings['values'][ $id ] = $setting->js_value(); 305 358 } … … 406 459 if ( ! $this->is_preview() ) 407 460 die; 408 461 409 check_ajax_referer( ' customize_controls-' . $this->get_stylesheet(), 'nonce' );462 check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce' ); 410 463 411 464 // Do we have to switch themes? 412 465 if ( $this->get_stylesheet() != $this->original_stylesheet ) { … … 949 1002 return '#' . $unhashed; 950 1003 951 1004 return $color; 952 } 953 No newline at end of file 1005 } -
wp-includes/js/customize-preview.dev.js
88 88 preview.trigger( event, args ); 89 89 }); 90 90 preview.send( 'synced' ); 91 }) 91 }); 92 92 93 preview.bind( 'active', function() { 94 if ( api.settings.nonce ) 95 preview.send( 'nonce', api.settings.nonce ); 96 }); 97 93 98 preview.send( 'ready' ); 94 99 95 100 /* Custom Backgrounds */ -
wp-includes/script-loader.php
305 305 'saved' => __( 'Saved' ), 306 306 'cancel' => __( 'Cancel' ), 307 307 'close' => __( 'Close' ), 308 'cheatin' => __( 'Cheatin’ uh?' ), 308 309 ) ); 309 310 310 311 if ( is_admin() ) { -
wp-admin/customize.php
7 7 * @since 3.4.0 8 8 */ 9 9 10 define( 'IFRAME_REQUEST', true ); 11 10 12 require_once( './admin.php' ); 11 13 if ( ! current_user_can( 'edit_theme_options' ) ) 12 14 wp_die( __( 'Cheatin’ uh?' ) ); … … 57 59 <body class="<?php echo esc_attr( $body_class ); ?>"> 58 60 <div class="wp-full-overlay expanded"> 59 61 <form id="customize-controls" class="wrap wp-full-overlay-sidebar"> 60 <?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>61 62 <div id="customize-header-actions" class="wp-full-overlay-header"> 62 63 <?php 63 64 $save_text = $wp_customize->is_theme_active() ? __( 'Save & Publish' ) : __( 'Save & Activate' ); … … 140 141 'TB_iframe' => 'true' 141 142 ), home_url( '/' ) ); 142 143 144 $login_url = add_query_arg( array( 145 'interim-login' => 1, 146 'customize-login' => 1 147 ), wp_login_url() ); 148 143 149 $settings = array( 144 150 'theme' => array( 145 151 'stylesheet' => $wp_customize->get_stylesheet(), … … 153 159 'allowed' => array_map( 'esc_url', $allowed_urls ), 154 160 'isCrossDomain' => $cross_domain, 155 161 'fallback' => $fallback_url, 162 'login' => $login_url, 156 163 ), 157 164 'browser' => array( 158 165 'mobile' => wp_is_mobile(), … … 160 167 ), 161 168 'settings' => array(), 162 169 'controls' => array(), 170 'nonce' => array( 171 'save' => wp_create_nonce( 'save-customize_' . $wp_customize->get_stylesheet() ), 172 'preview' => wp_create_nonce( 'preview-customize_' . $wp_customize->get_stylesheet() ) 173 ), 163 174 ); 164 175 165 176 foreach ( $wp_customize->settings() as $id => $setting ) { -
wp-admin/js/customize-controls.dev.js
295 295 // This is the promise object. 296 296 deferred.promise( this ); 297 297 298 this.previewer = params.previewer; 298 this.container = params.container; 299 this.signature = params.signature; 299 300 300 301 $.extend( params, { channel: api.PreviewFrame.uuid() }); 301 302 … … 324 325 325 326 this.request.done( function( response ) { 326 327 var location = self.request.getResponseHeader('Location'), 327 signature = 'WP_CUSTOMIZER_SIGNATURE',328 signature = self.signature, 328 329 index; 329 330 330 331 // Check if the location response header differs from the current URL. … … 334 335 return; 335 336 } 336 337 338 // Check if the user is not logged in. 339 if ( '0' === response ) { 340 deferred.rejectWith( self, [ 'logged out' ] ); 341 return; 342 } 343 344 // Check for cheaters. 345 if ( '-1' === response ) { 346 deferred.rejectWith( self, [ 'cheatin' ] ); 347 return; 348 } 349 337 350 // Check for a signature in the request. 338 351 index = response.lastIndexOf( signature ); 339 352 if ( -1 === index || index < response.lastIndexOf('</html>') ) { … … 349 362 response = response.slice( 0, index ) + response.slice( index + signature.length ); 350 363 351 364 // Create the iframe and inject the html content. 352 self.iframe = $('<iframe />').appendTo( self. previewer.container );365 self.iframe = $('<iframe />').appendTo( self.container ); 353 366 354 367 // Bind load event after the iframe has been added to the page; 355 368 // otherwise it will fire when injected into the DOM. … … 443 456 444 457 this.container = api.ensure( params.container ); 445 458 this.allowedUrls = params.allowedUrls; 459 this.signature = params.signature; 446 460 447 461 api.Messenger.prototype.initialize.call( this, params ); 448 462 … … 517 531 this.loading = new api.PreviewFrame({ 518 532 url: this.url(), 519 533 query: this.query() || {}, 520 previewer: this 534 container: this.container, 535 signature: this.signature 521 536 }); 522 537 523 538 this.loading.done( function() { … … 530 545 531 546 self.targetWindow( this.targetWindow() ); 532 547 self.channel( this.channel() ); 548 549 self.send( 'active' ); 533 550 }); 534 551 535 552 this.send( 'sync', { … … 541 558 this.loading.fail( function( reason, location ) { 542 559 if ( 'redirect' === reason && location ) 543 560 self.url( location ); 561 562 if ( 'logged out' === reason ) { 563 if ( self.iframe ) { 564 self.iframe.destroy(); 565 delete self.iframe; 566 } 567 568 self.login().done( self.refresh ); 569 } 570 571 if ( 'cheatin' === reason ) 572 self.cheatin(); 544 573 }); 574 }, 575 576 login: function() { 577 var previewer = this, 578 deferred, messenger, iframe; 579 580 if ( this._login ) 581 return this._login; 582 583 deferred = $.Deferred(); 584 this._login = deferred.promise(); 585 586 messenger = new api.Messenger({ 587 channel: 'login', 588 url: api.settings.url.login 589 }); 590 591 iframe = $('<iframe src="' + api.settings.url.login + '" />').appendTo( this.container ); 592 593 messenger.targetWindow( iframe[0].contentWindow ); 594 595 messenger.bind( 'login', function() { 596 iframe.remove(); 597 messenger.destroy(); 598 delete previewer._login; 599 deferred.resolve(); 600 }); 601 602 return this._login; 603 }, 604 605 cheatin: function() { 606 $( document.body ).empty().addClass('cheatin').append( '<p>' + api.l10n.cheatin + '</p>' ); 545 607 } 546 608 }); 547 609 … … 585 647 container: '#customize-preview', 586 648 form: '#customize-controls', 587 649 url: api.settings.url.preview, 588 allowedUrls: api.settings.url.allowed 650 allowedUrls: api.settings.url.allowed, 651 signature: 'WP_CUSTOMIZER_SIGNATURE' 589 652 }, { 653 654 nonce: api.settings.nonce, 655 590 656 query: function() { 591 657 return { 592 658 wp_customize: 'on', 593 659 theme: api.settings.theme.stylesheet, 594 customized: JSON.stringify( api.get() ) 660 customized: JSON.stringify( api.get() ), 661 nonce: this.nonce.preview 662 595 663 }; 596 664 }, 597 665 598 nonce: $('#_wpnonce').val(),599 600 666 save: function() { 601 var query = $.extend( this.query(), { 667 var self = this, 668 query = $.extend( this.query(), { 602 669 action: 'customize_save', 603 nonce: this.nonce 670 nonce: this.nonce.save 604 671 }), 605 672 request = $.post( api.settings.url.ajax, query ); 606 673 … … 612 679 body.removeClass('saving'); 613 680 }); 614 681 615 request.done( function() { 682 request.done( function( response ) { 683 // Check if the user is logged out. 684 if ( '0' === response ) { 685 self.iframe.iframe.hide(); 686 self.login().done( function() { 687 self.save(); 688 self.iframe.iframe.show(); 689 }); 690 return; 691 } 692 693 // Check for cheaters. 694 if ( '-1' === response ) { 695 self.cheatin(); 696 return; 697 } 698 616 699 api.trigger( 'saved' ); 617 700 }); 618 701 } 619 702 }); 620 703 704 // Refresh the nonces if the preview sends updated nonces over. 705 previewer.bind( 'nonce', function( nonce ) { 706 $.extend( this.nonce, nonce ); 707 }); 708 621 709 $.each( api.settings.settings, function( id, data ) { 622 710 api.create( id, id, data.value, { 623 711 transport: data.transport, -
wp-admin/css/customize-controls.dev.css
514 514 -webkit-overflow-scrolling: touch; 515 515 } 516 516 517 /** 518 * Handle cheaters. 519 */ 520 body.cheatin { 521 min-width: 0; 522 background: #f9f9f9; 523 padding: 50px; 524 } 525 526 body.cheatin p { 527 max-width: 700px; 528 margin: 0 auto; 529 padding: 2em; 530 font-size: 14px; 531 532 background: #fff; 533 border: 1px solid #dfdfdf; 534 535 -webkit-border-radius: 3px; 536 border-radius: 3px; 537 } 538 No newline at end of file