Ticket #20876: 20876.diff
| File 20876.diff, 11.8 KB (added by , 14 years ago) |
|---|
-
wp-login.php
82 82 $login_header_url = apply_filters( 'login_headerurl', $login_header_url ); 83 83 $login_header_title = apply_filters( 'login_headertitle', $login_header_title ); 84 84 85 // Don't allow interim logins to navigate away from the page. 86 if ( $interim_login ) 87 $login_header_url = '#'; 88 85 89 ?> 86 90 </head> 87 91 <body class="login<?php if ( wp_is_mobile() ) echo ' mobile'; ?>"> … … 126 130 * @param string $input_id Which input to auto-focus 127 131 */ 128 132 function login_footer($input_id = '') { 129 ?> 133 global $interim_login; 134 135 // Don't allow interim logins to navigate away from the page. 136 if ( ! $interim_login ): ?> 130 137 <p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '← Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p> 138 <?php endif; ?> 139 131 140 </div> 132 141 133 142 <?php if ( !empty($input_id) ) : ?> … … 555 564 default: 556 565 $secure_cookie = ''; 557 566 $interim_login = isset($_REQUEST['interim-login']); 567 $customize_login = isset( $_REQUEST['customize-login'] ); 568 if ( $customize_login ) 569 wp_enqueue_script( 'customize-base' ); 558 570 559 571 // If the user wants ssl but the session is not ssl, force a secure cookie. 560 572 if ( !empty($_POST['log']) && !force_ssl_admin() ) { … … 592 604 if ( $interim_login ) { 593 605 $message = '<p class="message">' . __('You have logged in successfully.') . '</p>'; 594 606 login_header( '', $message ); ?> 607 608 <?php if ( ! $customize_login ) : ?> 595 609 <script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script> 596 610 <p class="alignright"> 597 611 <input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p> 598 </div></body></html> 612 <?php endif; ?> 613 </div> 614 <?php do_action( 'login_footer' ); ?> 615 <?php if ( $customize_login ) : ?> 616 <script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script> 617 <?php endif; ?> 618 </body></html> 599 619 <?php exit; 600 620 } 601 621 … … 666 686 <?php } else { ?> 667 687 <input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" /> 668 688 <?php } ?> 689 <?php if ( $customize_login ) : ?> 690 <input type="hidden" name="customize-login" value="1" /> 691 <?php endif; ?> 669 692 <input type="hidden" name="testcookie" value="1" /> 670 693 </p> 671 694 </form> -
wp-includes/class-wp-customize-manager.php
17 17 protected $sections = array(); 18 18 protected $controls = array(); 19 19 20 protected $nonce_tick; 21 20 22 protected $customized; 21 23 22 24 private $_post_values; … … 31 33 require( ABSPATH . WPINC . '/class-wp-customize-section.php' ); 32 34 require( ABSPATH . WPINC . '/class-wp-customize-control.php' ); 33 35 36 add_filter( 'wp_die_handler', array( $this, 'wp_die_handler' ) ); 37 34 38 add_action( 'setup_theme', array( $this, 'setup_theme' ) ); 35 39 add_action( 'wp_loaded', array( $this, 'wp_loaded' ) ); 36 40 … … 53 57 } 54 58 55 59 /** 60 * Return true if it's an AJAX request. 61 * 62 * @since 3.4.0 63 */ 64 public function doing_ajax() { 65 return isset( $_POST['customized'] ) || ( defined( 'DOING_AJAX' ) && DOING_AJAX ); 66 } 67 68 /** 69 * Custom wp_die wrapper. Returns either the standard message for UI 70 * or the AJAX message. 71 * 72 * @param mixed $ajax_message AJAX return 73 * @param mixed $message UI message 74 * 75 * @since 3.4.0 76 */ 77 private function wp_die( $ajax_message, $message ) { 78 if ( $this->doing_ajax() ) 79 wp_die( $ajax_message ); 80 81 wp_die( $message ); 82 } 83 84 /** 85 * Return the AJAX wp_die() handler if it's a customized request. 86 * 87 * @since 3.4.0 88 */ 89 public function wp_die_handler() { 90 if ( $this->doing_ajax() ) 91 return '_ajax_wp_die_handler'; 92 93 return '_default_wp_die_handler'; 94 } 95 96 /** 56 97 * Start preview and customize theme. 57 98 * 58 99 * Check if customize query variable exist. Init filters to filter the current theme. … … 60 101 * @since 3.4.0 61 102 */ 62 103 public function setup_theme() { 63 if ( is_admin() && ! defined( 'DOING_AJAX' ) ) 64 auth_redirect(); 104 if ( is_admin() && ! $this->doing_ajax() ) 105 auth_redirect(); 106 elseif ( $this->doing_ajax() && ! is_user_logged_in() ) 107 wp_die( 0 ); 65 108 66 109 send_origin_headers(); 67 110 … … 71 114 72 115 // You can't preview a theme if it doesn't exist, or if it is not allowed (unless active). 73 116 if ( ! $this->theme->exists() ) 74 wp_die(__( 'Cheatin’ uh?' ) );117 $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); 75 118 76 119 if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) ) 77 wp_die(__( 'Cheatin’ uh?' ) );120 $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); 78 121 79 122 if ( ! current_user_can( 'edit_theme_options' ) ) 80 wp_die(__( 'Cheatin’ uh?' ) );123 $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); 81 124 125 if ( $this->doing_ajax() && ! defined( 'DOING_AJAX' ) ) // Fire on previews. 126 $this->nonce_tick = check_ajax_referer( 'customize_preview-' . $this->get_stylesheet(), 'nonce' ); 127 82 128 $this->start_previewing_theme(); 83 129 show_admin_bar( false ); 84 130 } … … 300 346 'backgroundImageHasDefault' => current_theme_supports( 'custom-background', 'default-image' ), 301 347 ); 302 348 349 if ( 2 == $this->nonce_tick ) { 350 $settings['customize-controls-nonce'] = wp_create_nonce( 'customize-controls-' . $this->get_stylesheet() ); 351 $settings['customize-preview-nonce'] = wp_create_nonce( 'customize_preview-' . $this->get_stylesheet() ); 352 } 353 303 354 foreach ( $this->settings as $id => $setting ) { 304 355 $settings['values'][ $id ] = $setting->js_value(); 305 356 } … … 949 1000 return '#' . $unhashed; 950 1001 951 1002 return $color; 952 } 953 No newline at end of file 1003 } -
wp-includes/script-loader.php
305 305 'saved' => __( 'Saved' ), 306 306 'cancel' => __( 'Cancel' ), 307 307 'close' => __( 'Close' ), 308 'cheatin' => __( 'Cheatin’ uh?' ), 308 309 ) ); 309 310 310 311 if ( is_admin() ) { -
wp-admin/customize.php
7 7 * @since 3.4.0 8 8 */ 9 9 10 define( 'IFRAME_REQUEST', true ); 11 10 12 require_once( './admin.php' ); 11 13 if ( ! current_user_can( 'edit_theme_options' ) ) 12 14 wp_die( __( 'Cheatin’ uh?' ) ); … … 57 59 <body class="<?php echo esc_attr( $body_class ); ?>"> 58 60 <div class="wp-full-overlay expanded"> 59 61 <form id="customize-controls" class="wrap wp-full-overlay-sidebar"> 60 <?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?> 62 <?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet(), 'customize-controls-nonce', false ); ?> 63 <?php wp_nonce_field( 'customize_preview-' . $wp_customize->get_stylesheet(), 'customize-preview-nonce', false ); ?> 61 64 <div id="customize-header-actions" class="wp-full-overlay-header"> 62 65 <?php 63 66 $save_text = $wp_customize->is_theme_active() ? __( 'Save & Publish' ) : __( 'Save & Activate' ); … … 140 143 'TB_iframe' => 'true' 141 144 ), home_url( '/' ) ); 142 145 146 $login_url = add_query_arg( array( 147 'interim-login' => 1, 148 'customize-login' => 1 149 ), wp_login_url() ); 150 143 151 $settings = array( 144 152 'theme' => array( 145 153 'stylesheet' => $wp_customize->get_stylesheet(), … … 153 161 'allowed' => array_map( 'esc_url', $allowed_urls ), 154 162 'isCrossDomain' => $cross_domain, 155 163 'fallback' => $fallback_url, 164 'login' => $login_url, 156 165 ), 157 166 'browser' => array( 158 167 'mobile' => wp_is_mobile(), -
wp-admin/js/customize-controls.dev.js
334 334 return; 335 335 } 336 336 337 // Check if the user is not logged in. 338 if ( '0' === response ) { 339 deferred.rejectWith( self, [ 'logged out' ] ); 340 return; 341 } 342 343 // Check for cheaters. 344 if ( '-1' === response ) { 345 deferred.rejectWith( self, [ 'cheatin' ] ); 346 return; 347 } 348 337 349 // Check for a signature in the request. 338 350 index = response.lastIndexOf( signature ); 339 351 if ( -1 === index || index < response.lastIndexOf('</html>') ) { … … 541 553 this.loading.fail( function( reason, location ) { 542 554 if ( 'redirect' === reason && location ) 543 555 self.url( location ); 556 557 if ( 'logged out' === reason ) { 558 if ( self.iframe ) { 559 self.iframe.destroy(); 560 delete self.iframe; 561 } 562 563 self.login().done( self.refresh ); 564 } 565 566 if ( 'cheatin' === reason ) 567 self.cheatin(); 544 568 }); 569 }, 570 571 login: function() { 572 var previewer = this, 573 deferred, messenger, iframe; 574 575 if ( this._login ) 576 return this._login; 577 578 deferred = $.Deferred(); 579 this._login = deferred.promise(); 580 581 messenger = new api.Messenger({ 582 channel: 'login', 583 url: api.settings.url.login 584 }); 585 586 iframe = $('<iframe src="' + api.settings.url.login + '" />').appendTo( this.container ); 587 588 messenger.targetWindow( iframe[0].contentWindow ); 589 590 messenger.bind( 'login', function() { 591 iframe.remove(); 592 messenger.destroy(); 593 delete previewer._login; 594 deferred.resolve(); 595 }); 596 597 return this._login; 598 }, 599 600 cheatin: function() { 601 $( document.body ).empty().addClass('cheatin').append( '<p>' + api.l10n.cheatin + '</p>' ); 545 602 } 546 603 }); 547 604 … … 587 644 url: api.settings.url.preview, 588 645 allowedUrls: api.settings.url.allowed 589 646 }, { 647 648 p_nonce: $('#customize-preview-nonce').val(), 649 c_nonce: $('#customize-controls-nonce').val(), 650 590 651 query: function() { 591 652 return { 592 653 wp_customize: 'on', 593 654 theme: api.settings.theme.stylesheet, 594 customized: JSON.stringify( api.get() ) 655 customized: JSON.stringify( api.get() ), 656 nonce: this.p_nonce 657 595 658 }; 596 659 }, 597 660 598 nonce: $('#_wpnonce').val(),599 600 661 save: function() { 601 var query = $.extend( this.query(), { 662 var self = this, 663 query = $.extend( this.query(), { 602 664 action: 'customize_save', 603 nonce: this. nonce665 nonce: this.c_nonce 604 666 }), 605 667 request = $.post( api.settings.url.ajax, query ); 606 668 … … 612 674 body.removeClass('saving'); 613 675 }); 614 676 615 request.done( function() { 677 request.done( function( response ) { 678 // Check if the user is logged out. 679 if ( '0' === response ) { 680 self.iframe.iframe.hide(); 681 self.login().done( function() { 682 self.save(); 683 self.iframe.iframe.show(); 684 }); 685 return; 686 } 687 688 // Check for cheaters. 689 if ( '-1' === response ) { 690 self.cheatin(); 691 return; 692 } 693 616 694 api.trigger( 'saved' ); 617 695 }); 618 696 } -
wp-admin/css/customize-controls.dev.css
514 514 -webkit-overflow-scrolling: touch; 515 515 } 516 516 517 /** 518 * Handle cheaters. 519 */ 520 body.cheatin { 521 min-width: 0; 522 background: #f9f9f9; 523 padding: 50px; 524 } 525 526 body.cheatin p { 527 max-width: 700px; 528 margin: 0 auto; 529 padding: 2em; 530 font-size: 14px; 531 532 background: #fff; 533 border: 1px solid #dfdfdf; 534 535 -webkit-border-radius: 3px; 536 border-radius: 3px; 537 } 538 No newline at end of file