WordPress.org

Make WordPress Core

Changeset 21010


Ignore:
Timestamp:
06/06/2012 08:34:24 PM (7 years ago)
Author:
nacin
Message:

Theme Customizer: Block non-existent or non-allowed themes, unless the non-allowed theme is the active theme. Support a user having edit_theme_options xor switch_themes. fixes #20852.

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-header.php

    r20918 r21010  
    103103// If the customize-loader script is enqueued, make sure the customize
    104104// body classes are correct as early as possible.
    105 if ( wp_script_is( 'customize-loader', 'queue' ) )
     105if ( wp_script_is( 'customize-loader', 'queue' ) && current_user_can( 'edit_theme_options' ) )
    106106    wp_customize_support_script();
    107107?>
  • trunk/wp-admin/customize.php

    r21006 r21010  
    1313
    1414global $wp_scripts, $wp_customize;
    15 
    16 wp_reset_vars( array( 'theme' ) );
    17 
    18 if ( ! $theme )
    19     $theme = get_stylesheet();
    2015
    2116$registered = $wp_scripts->registered;
     
    4944<body class="wp-full-overlay">
    5045    <form id="customize-controls" class="wrap wp-full-overlay-sidebar">
    51         <?php wp_nonce_field( 'customize_controls' ); ?>
     46        <?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
    5247        <div id="customize-header-actions" class="wp-full-overlay-header">
    5348            <?php
  • trunk/wp-admin/includes/class-wp-themes-list-table.php

    r20827 r21010  
    126126            $author     = $theme->display('Author');
    127127
    128             $activate_link = wp_nonce_url( "themes.php?action=activate&amp;template=" . urlencode( $template ) . "&amp;stylesheet=" . urlencode( $stylesheet ), 'switch-theme_' . $template );
     128            $activate_link = wp_nonce_url( "themes.php?action=activate&amp;template=" . urlencode( $template ) . "&amp;stylesheet=" . urlencode( $stylesheet ), 'switch-theme_' . $stylesheet );
    129129
    130130            $preview_link = esc_url( add_query_arg(
     
    133133
    134134            $actions = array();
    135             $actions[] = '<a href="' . $activate_link . '" class="activatelink" title="'
     135            $actions['activate'] = '<a href="' . $activate_link . '" class="activatelink" title="'
    136136                . esc_attr( sprintf( __( 'Activate &#8220;%s&#8221;' ), $title ) ) . '">' . __( 'Activate' ) . '</a>';
    137             $actions[] = '<a href="' . $preview_link . '" class="hide-if-customize" title="'
    138                 . esc_attr( sprintf( __( 'Preview &#8220;%s&#8221;' ), $title ) ) . '">' . __( 'Preview' ) . '</a>'
    139                 . '<a href="' . wp_customize_url( $stylesheet ) . '" class="load-customize hide-if-no-customize">'
    140                 . __( 'Live Preview' ) . '</a>';
     137
     138            $actions['preview'] = '<a href="' . $preview_link . '" class="hide-if-customize" title="'
     139                . esc_attr( sprintf( __( 'Preview &#8220;%s&#8221;' ), $title ) ) . '">' . __( 'Preview' ) . '</a>';
     140
     141            if ( current_user_can( 'edit_theme_options' ) )
     142                $actions['preview'] .= '<a href="' . wp_customize_url( $stylesheet ) . '" class="load-customize hide-if-no-customize">'
     143                    . __( 'Live Preview' ) . '</a>';
     144
    141145            if ( ! is_multisite() && current_user_can( 'delete_themes' ) )
    142                 $actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&amp;template=$stylesheet", 'delete-theme_' . $stylesheet )
     146                $actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&amp;stylesheet=$stylesheet", 'delete-theme_' . $stylesheet )
    143147                    . '" onclick="' . "return confirm( '" . esc_js( sprintf( __( "You are about to delete this theme '%s'\n  'Cancel' to stop, 'OK' to delete." ), $title ) )
    144148                    . "' );" . '">' . __( 'Delete' ) . '</a>';
  • trunk/wp-admin/includes/theme.php

    r20752 r21010  
    1212 * @since 2.8.0
    1313 *
    14  * @param string $template Template directory of the theme to delete
     14 * @param string $stylesheet Stylesheet of the theme to delete
    1515 * @param string $redirect Redirect to page when complete.
    1616 * @return mixed
    1717 */
    18 function delete_theme($template, $redirect = '') {
     18function delete_theme($stylesheet, $redirect = '') {
    1919    global $wp_filesystem;
    2020
    21     if ( empty($template) )
     21    if ( empty($stylesheet) )
    2222        return false;
    2323
    2424    ob_start();
    2525    if ( empty( $redirect ) )
    26         $redirect = wp_nonce_url('themes.php?action=delete&template=' . $template, 'delete-theme_' . $template);
     26        $redirect = wp_nonce_url('themes.php?action=delete&stylesheet=' . $stylesheet, 'delete-theme_' . $stylesheet);
    2727    if ( false === ($credentials = request_filesystem_credentials($redirect)) ) {
    2828        $data = ob_get_contents();
     
    6262
    6363    $themes_dir = trailingslashit( $themes_dir );
    64     $theme_dir = trailingslashit($themes_dir . $template);
     64    $theme_dir = trailingslashit($themes_dir . $stylesheet);
    6565    $deleted = $wp_filesystem->delete($theme_dir, true);
    6666
    6767    if ( ! $deleted )
    68         return new WP_Error('could_not_remove_theme', sprintf(__('Could not fully remove the theme %s.'), $template) );
     68        return new WP_Error('could_not_remove_theme', sprintf(__('Could not fully remove the theme %s.'), $stylesheet) );
    6969
    7070    // Force refresh of theme update information
  • trunk/wp-admin/themes.php

    r20967 r21010  
    1717if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) {
    1818    if ( 'activate' == $_GET['action'] ) {
    19         check_admin_referer('switch-theme_' . $_GET['template']);
     19        check_admin_referer('switch-theme_' . $_GET['stylesheet']);
     20        $theme = wp_get_theme( $_GET['stylesheet'] );
     21        if ( ! $theme->exists() || ! $theme->is_allowed() )
     22            wp_die( __( 'Cheatin&#8217; uh?' ) );
    2023        switch_theme($_GET['template'], $_GET['stylesheet']);
    2124        wp_redirect( admin_url('themes.php?activated=true') );
    2225        exit;
    2326    } elseif ( 'delete' == $_GET['action'] ) {
    24         check_admin_referer('delete-theme_' . $_GET['template']);
    25         if ( !current_user_can('delete_themes') )
     27        check_admin_referer('delete-theme_' . $_GET['stylesheet']);
     28        $theme = wp_get_theme( $_GET['stylesheet'] );
     29        if ( !current_user_can('delete_themes') || ! $theme->exists() )
    2630            wp_die( __( 'Cheatin&#8217; uh?' ) );
    27         delete_theme($_GET['template']);
     31        delete_theme($_GET['stylesheet']);
    2832        wp_redirect( admin_url('themes.php?deleted=true') );
    2933        exit;
     
    6064    ) );
    6165}
     66
     67endif; // switch_themes
    6268
    6369if ( current_user_can( 'edit_theme_options' ) ) {
     
    8389wp_enqueue_script( 'theme' );
    8490wp_enqueue_script( 'customize-loader' );
    85 
    86 endif;
    8791
    8892require_once('./admin-header.php');
     
    121125<div id="current-theme" class="<?php echo esc_attr( $class ); ?>">
    122126    <?php if ( $screenshot ) : ?>
     127        <?php if ( current_user_can( 'edit_theme_options' ) ) : ?>
    123128        <a href="<?php echo wp_customize_url(); ?>" class="load-customize hide-if-no-customize" title="<?php echo esc_attr( $customize_title ); ?>">
    124129            <img src="<?php echo esc_url( $screenshot ); ?>" alt="<?php esc_attr_e( 'Current theme preview' ); ?>" />
    125130        </a>
     131        <?php endif; ?>
    126132        <img class="hide-if-customize" src="<?php echo esc_url( $screenshot ); ?>" alt="<?php esc_attr_e( 'Current theme preview' ); ?>" />
    127133    <?php endif; ?>
     
    141147    </div>
    142148
    143 <div class="theme-options">
    144     <a id="customize-current-theme-link" href="<?php echo wp_customize_url(); ?>" class="load-customize hide-if-no-customize" title="<?php echo esc_attr( $customize_title ); ?>"><?php _e( 'Customize' )?></a>
    145     <span><?php _e( 'Options:' )?></span>
    146149    <?php
    147150    // Pretend you didn't see this.
     
    172175    }
    173176
     177    if ( $options || current_user_can( 'edit_theme_options' ) ) :
    174178    ?>
    175     <ul>
    176         <?php foreach ( $options as $option ) : ?>
    177             <li><?php echo $option; ?></li>
    178         <?php endforeach; ?>
    179     </ul>
    180 </div>
     179    <div class="theme-options">
     180        <?php if ( current_user_can( 'edit_theme_options' ) ) : ?>
     181        <a id="customize-current-theme-link" href="<?php echo wp_customize_url(); ?>" class="load-customize hide-if-no-customize" title="<?php echo esc_attr( $customize_title ); ?>"><?php _e( 'Customize' ); ?></a>
     182        <?php
     183        endif; // edit_theme_options
     184        if ( $options ) :
     185        ?>
     186        <span><?php _e( 'Options:' )?></span>
     187        <ul>
     188            <?php foreach ( $options as $option ) : ?>
     189                <li><?php echo $option; ?></li>
     190            <?php endforeach; ?>
     191        </ul>
     192    </div>
     193    <?php
     194        endif; // options
     195    endif; // options || edit_theme_options
     196    ?>
    181197
    182198</div>
  • trunk/wp-includes/class-wp-customize-manager.php

    r20995 r21010  
    7979     */
    8080    public function setup_theme() {
    81         if ( ! ( isset( $_REQUEST['customize'] ) && 'on' == $_REQUEST['customize'] ) && ! basename( $_SERVER['PHP_SELF'] ) == 'customize.php' )
    82             return;
    83 
    8481        send_origin_headers();
     82
     83        $this->original_stylesheet = get_stylesheet();
     84
     85        $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
     86
     87        // You can't preview a theme if it doesn't exist, or if it is not allowed (unless active).
     88        if ( ! $this->theme->exists() )
     89            wp_die( __( 'Cheatin&#8217; uh?' ) );
     90
     91        if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) )
     92            wp_die( __( 'Cheatin&#8217; uh?' ) );
     93
     94        if ( ! current_user_can( 'edit_theme_options' ) )
     95            wp_die( __( 'Cheatin&#8217; uh?' ) );
    8596
    8697        $this->start_previewing_theme();
     
    96107     */
    97108    public function start_previewing_theme() {
    98         if ( $this->is_preview() || false === $this->theme || ( $this->theme && ! $this->theme->exists() ) )
     109        // Bail if we're already previewing.
     110        if ( $this->is_preview() )
    99111            return;
    100 
    101         // Initialize $theme and $original_stylesheet if they do not yet exist.
    102         if ( ! isset( $this->theme ) ) {
    103             $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
    104             if ( ! $this->theme->exists() ) {
    105                 $this->theme = false;
    106                 return;
    107             }
    108         }
    109 
    110         $this->original_stylesheet = get_stylesheet();
    111112
    112113        $this->previewing = true;
     
    420421            die;
    421422
    422         check_ajax_referer( 'customize_controls', 'nonce' );
     423        check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
    423424
    424425        // Do we have to switch themes?
    425426        if ( $this->get_stylesheet() != $this->original_stylesheet ) {
    426             if ( ! current_user_can( 'switch_themes' ) )
    427                 die;
    428 
    429427            // Temporarily stop previewing the theme to allow switch_themes()
    430428            // to operate properly.
  • trunk/wp-includes/js/customize-loader.dev.js

    r20988 r21010  
    1818            // Check for settings, postMessage support, and whether we require CORS support.
    1919            if ( ! Loader.settings || ! $.support.postMessage || ( ! $.support.cors && Loader.settings.isCrossDomain ) ) {
    20                 this.body.removeClass( 'customize-support' ).addClass( 'no-customize-support' );
    2120                return;
    2221            }
    23 
    24             this.body.removeClass( 'no-customize-support' ).addClass( 'customize-support' );
    2522
    2623            this.window  = $( window );
Note: See TracChangeset for help on using the changeset viewer.