Ticket #28605: 28605.2.diff

src/wp-admin/admin-header.php

@@ -177 +177 @@
 
 <?php
 // Make sure the customize body classes are correct as early as possible.
-if ( current_user_can( 'edit_theme_options' ) )
+if ( current_user_can( 'customize' ) )
         wp_customize_support_script();
 ?>
 

src/wp-admin/customize.php

@@ -12 +12 @@
 /** Load WordPress Administration Bootstrap */
 require_once( dirname( __FILE__ ) . '/admin.php' );
 
-if ( ! current_user_can( 'edit_theme_options' ) ) {
+if ( ! current_user_can( 'customize' ) ) {
         wp_die( __( 'Cheatin’ uh?' ) );
 }
 
@@ -24 +24 @@
         $return = wp_validate_redirect( $return );
 }
 if ( ! $return ) {
-        $return = $url;
+        if ( $url ) {
+                $return = $url;
+        } elseif ( current_user_can( 'edit_theme_options' ) ) {
+                $return = admin_url( 'themes.php' );
+        } else {
+                $return = admin_url();
+        }
 }
 
 global $wp_scripts, $wp_customize;
@@ -112 +118 @@
                                 submit_button( $save_text, 'primary save', 'save', false );
                         ?>
                         <span class="spinner"></span>
-                        <a class="customize-controls-close" href="<?php echo esc_url( $return ? $return : admin_url( 'themes.php' ) ); ?>">
+                        <a class="customize-controls-close" href="<?php echo esc_url( $return ); ?>">
                                 <span class="screen-reader-text"><?php _e( 'Cancel' ); ?></span>
                         </a>
                 </div>

src/wp-admin/includes/class-wp-upgrader-skins.php

@@ -594 +594 @@
                         $activate_link = wp_nonce_url( $activate_link, 'switch-theme_' . $stylesheet );
 
                         if ( get_stylesheet() == $stylesheet ) {
-                                if ( current_user_can( 'edit_theme_options' ) )
+                                if ( current_user_can( 'customize' ) )
                                         $update_actions['preview']  = '<a href="' . wp_customize_url( $stylesheet ) . '" class="hide-if-no-customize load-customize" title="' . esc_attr( sprintf( __('Customize &#8220;%s&#8221;'), $name ) ) . '">' . __('Customize') . '</a>';
                         } elseif ( current_user_can( 'switch_themes' ) ) {
                                 $update_actions['preview']  = '<a href="' . esc_url( $preview_link ) . '" class="hide-if-customize" title="' . esc_attr( sprintf( __('Preview &#8220;%s&#8221;'), $name ) ) . '">' . __('Preview') . '</a>';

src/wp-admin/menu.php

@@ -144 +144 @@
 
 $appearance_cap = current_user_can( 'switch_themes') ? 'switch_themes' : 'edit_theme_options';
 
-$menu[60] = array( __('Appearance'), $appearance_cap, 'themes.php', '', 'menu-top menu-icon-appearance', 'menu-appearance', 'dashicons-admin-appearance' );
+$customize_url = add_query_arg( 'return', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), 'customize.php' );
+if ( current_user_can( $appearance_cap) ) {
+        $menu[60] = array( __( 'Appearance' ), $appearance_cap, 'themes.php', '', 'menu-top menu-icon-appearance', 'menu-appearance', 'dashicons-admin-appearance' );
         $submenu['themes.php'][5] = array( __( 'Themes' ), $appearance_cap, 'themes.php' );
 
         $customize_url = add_query_arg( 'return', urlencode( wp_unslash( $_SERVER['REQUEST_URI'] ) ), 'customize.php' );
-        $submenu['themes.php'][6] = array( __( 'Customize' ), 'edit_theme_options', $customize_url, '', 'hide-if-no-customize' );
+        $submenu['themes.php'][6] = array( __( 'Customize' ), 'customize', $customize_url, '', 'hide-if-no-customize' );
         unset( $customize_url );
         if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) {
                 $submenu['themes.php'][10] = array(__( 'Menus' ), 'edit_theme_options', 'nav-menus.php');
         }
-
-unset( $appearance_cap );
+} else {
+        $menu[60] = array( __( 'Customize' ), 'customize', $customize_url, '', 'menu-top menu-icon-appearance hide-if-no-customize', 'menu-appearance', 'dashicons-admin-appearance' );
+}
+unset( $customize_url, $appearance_cap );
 
 // Add 'Editor' to the bottom of the Appearance menu.
 if ( ! is_multisite() )

src/wp-admin/themes.php

@@ -212 +212 @@
         <div class="theme-actions">
 
         <?php if ( $theme['active'] ) { ?>
-                <?php if ( $theme['actions']['customize'] ) { ?>
+                <?php if ( $theme['actions']['customize'] && current_user_can( 'customize' ) ) { ?>
                         <a class="button button-primary customize load-customize hide-if-no-customize" href="<?php echo $theme['actions']['customize']; ?>"><?php _e( 'Customize' ); ?></a>
                 <?php } ?>
         <?php } else { ?>
                 <a class="button button-primary activate" href="<?php echo $theme['actions']['activate']; ?>"><?php _e( 'Activate' ); ?></a>
-                <a class="button button-secondary load-customize hide-if-no-customize" href="<?php echo $theme['actions']['customize']; ?>"><?php _e( 'Live Preview' ); ?></a>
-                <a class="button button-secondary hide-if-customize" href="<?php echo $theme['actions']['preview']; ?>"><?php _e( 'Preview' ); ?></a>
+                <?php if ( current_user_can( 'customize' ) ) { ?>
+                        <a class="button button-secondary load-customize hide-if-no-customize" href="<?php echo $theme['actions']['customize']; ?>"><?php _e( 'Live Preview' ); ?></a>
+                        <a class="button button-secondary hide-if-customize" href="<?php echo $theme['actions']['preview']; ?>"><?php _e( 'Preview' ); ?></a>
+                <?php } ?>
         <?php } ?>
 
         </div>

src/wp-includes/admin-bar.php

@@ -657 +657 @@
         if ( current_user_can( 'switch_themes' ) || current_user_can( 'edit_theme_options' ) )
                 $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'themes', 'title' => __('Themes'), 'href' => admin_url('themes.php') ) );
 
-        if ( ! current_user_can( 'edit_theme_options' ) )
-                return;
-
-        $current_url = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
-        $wp_admin_bar->add_menu( array(
-                'parent' => 'appearance',
-                'id'     => 'customize',
-                'title'  => __('Customize'),
-                'href'   => add_query_arg( 'url', urlencode( $current_url ), wp_customize_url() ),
-                'meta'   => array(
-                        'class' => 'hide-if-no-customize',
-                ),
-        ) );
-        add_action( 'wp_before_admin_bar_render', 'wp_customize_support_script' );
+        if ( current_user_can( 'customize' ) ) {
+                $current_url = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+                $wp_admin_bar->add_menu( array(
+                        'parent' => 'appearance',
+                        'id'     => 'customize',
+                        'title'  => __( 'Customize' ),
+                        'href'   => add_query_arg( 'url', urlencode( $current_url ), wp_customize_url() ),
+                        'meta'   => array(
+                                'class' => 'hide-if-no-customize',
+                        ),
+                ) );
+                add_action( 'wp_before_admin_bar_render', 'wp_customize_support_script' );
+        }
 
-        if ( current_theme_supports( 'widgets' )  )
-                $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'widgets', 'title' => __('Widgets'), 'href' => admin_url('widgets.php') ) );
+        if ( current_user_can( 'edit_theme_options' ) ) {
+                if ( current_theme_supports( 'widgets' )  ) {
+                        $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'widgets', 'title' => __( 'Widgets' ), 'href' => admin_url( 'widgets.php' ) ) );
+                }
 
-        if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) )
-                $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'menus', 'title' => __('Menus'), 'href' => admin_url('nav-menus.php') ) );
+                if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) {
+                        $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'menus', 'title' => __( 'Menus' ), 'href' => admin_url( 'nav-menus.php' ) ) );
+                }
 
-        if ( current_theme_supports( 'custom-background' ) )
-                $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'background', 'title' => __('Background'), 'href' => admin_url('themes.php?page=custom-background') ) );
+                if ( current_theme_supports( 'custom-background' ) ) {
+                        $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'background', 'title' => __( 'Background' ), 'href' => admin_url( 'themes.php?page=custom-background' ) ) );
+                }
 
-        if ( current_theme_supports( 'custom-header' ) )
-                $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'header', 'title' => __('Header'), 'href' => admin_url('themes.php?page=custom-header') ) );
+                if ( current_theme_supports( 'custom-header' ) ) {
+                        $wp_admin_bar->add_menu( array( 'parent' => 'appearance', 'id' => 'header', 'title' => __( 'Header' ), 'href' => admin_url( 'themes.php?page=custom-header' ) ) );
+                }
+        }
 }
 
 /**

src/wp-includes/capabilities.php

@@ -1304 +1304 @@
                 else
                         $caps[] = 'do_not_allow';
                 break;
+        case 'customize' :
+                $caps[] = 'edit_theme_options';
+                break;
         default:
                 // Handle meta capabilities for custom post types.
                 $post_type_meta_caps = _post_type_meta_capabilities();

src/wp-includes/class-wp-customize-manager.php

@@ -150 +150 @@
         public function setup_theme() {
                 send_origin_headers();
 
-                if ( is_admin() && ! $this->doing_ajax() )
-                    auth_redirect();
-                elseif ( $this->doing_ajax() && ! is_user_logged_in() )
-                    $this->wp_die( 0 );
+                if ( is_admin() && ! $this->doing_ajax() ) {
+                        auth_redirect();
+                } elseif ( $this->doing_ajax() && ! is_user_logged_in() ) {
+                        $this->wp_die( 0 );
+                }
 
                 show_admin_bar( false );
 
-                if ( ! current_user_can( 'edit_theme_options' ) )
+                if ( ! current_user_can( 'customize' ) ) {
                         $this->wp_die( -1 );
+                }
 
                 $this->original_stylesheet = get_stylesheet();