WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
06/06/2012 08:34:24 PM (13 years ago)
Author:
nacin
Message:

Theme Customizer: Block non-existent or non-allowed themes, unless the non-allowed theme is the active theme. Support a user having edit_theme_options xor switch_themes. fixes #20852.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-includes/class-wp-customize-manager.php

    r20995 r21010  
    7979     */
    8080    public function setup_theme() {
    81         if ( ! ( isset( $_REQUEST['customize'] ) && 'on' == $_REQUEST['customize'] ) && ! basename( $_SERVER['PHP_SELF'] ) == 'customize.php' )
    82             return;
    83 
    8481        send_origin_headers();
     82
     83        $this->original_stylesheet = get_stylesheet();
     84
     85        $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
     86
     87        // You can't preview a theme if it doesn't exist, or if it is not allowed (unless active).
     88        if ( ! $this->theme->exists() )
     89            wp_die( __( 'Cheatin’ uh?' ) );
     90
     91        if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) )
     92            wp_die( __( 'Cheatin’ uh?' ) );
     93
     94        if ( ! current_user_can( 'edit_theme_options' ) )
     95            wp_die( __( 'Cheatin’ uh?' ) );
    8596
    8697        $this->start_previewing_theme();
     
    96107     */
    97108    public function start_previewing_theme() {
    98         if ( $this->is_preview() || false === $this->theme || ( $this->theme && ! $this->theme->exists() ) )
     109        // Bail if we're already previewing.
     110        if ( $this->is_preview() )
    99111            return;
    100 
    101         // Initialize $theme and $original_stylesheet if they do not yet exist.
    102         if ( ! isset( $this->theme ) ) {
    103             $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
    104             if ( ! $this->theme->exists() ) {
    105                 $this->theme = false;
    106                 return;
    107             }
    108         }
    109 
    110         $this->original_stylesheet = get_stylesheet();
    111112
    112113        $this->previewing = true;
     
    420421            die;
    421422
    422         check_ajax_referer( 'customize_controls', 'nonce' );
     423        check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
    423424
    424425        // Do we have to switch themes?
    425426        if ( $this->get_stylesheet() != $this->original_stylesheet ) {
    426             if ( ! current_user_can( 'switch_themes' ) )
    427                 die;
    428 
    429427            // Temporarily stop previewing the theme to allow switch_themes()
    430428            // to operate properly.
Note: See TracChangeset for help on using the changeset viewer.