Changeset 26470

Timestamp:

11/29/2013 09:00:23 AM (11 years ago)

Author:

dd32

Message:

Themes: Do extra Cap checks before outputting links, and use full URI's. See #25948

Location:

trunk/src/wp-admin

Files:

• includes/theme.php (modified) (2 diffs)
• themes.php (modified) (4 diffs)

trunk/src/wp-admin/includes/theme.php

@@ -143 +143 @@
         $theme_name = $theme->display('Name');
         $details_url = add_query_arg(array('TB_iframe' => 'true', 'width' => 1024, 'height' => 800), $update['url']); //Theme browser inside WP? replace this, Also, theme preview JS will override this on the available list.
-        $update_url = wp_nonce_url('update.php?action=upgrade-theme&theme=' . urlencode($stylesheet), 'upgrade-theme_' . $stylesheet);
+        $update_url = wp_nonce_url( admin_url( 'update.php?action=upgrade-theme&theme=' . urlencode( $stylesheet ) ), 'upgrade-theme_' . $stylesheet );
         $update_onclick = 'onclick="if ( confirm(\'' . esc_js( __("Updating this theme will lose any customizations you have made. 'Cancel' to stop, 'OK' to update.") ) . '\') ) {return true;}return false;"';
 
@@ -415 +415 @@
             'update'       => get_theme_update_available( $theme ),
             'actions'      => array(
-                'activate' => wp_nonce_url( 'themes.php?action=activate&stylesheet=' . $encoded_slug, 'switch-theme_' . $slug ),
-                'customize'=> admin_url( 'customize.php?theme=' . $encoded_slug ),
-                'delete'   => wp_nonce_url( 'themes.php?action=delete&stylesheet=' . $encoded_slug, 'delete-theme_' . $slug ),
+                'activate' => current_user_can( 'switch_themes' ) ? wp_nonce_url( admin_url( 'themes.php?action=activate&stylesheet=' . $encoded_slug ), 'switch-theme_' . $slug ) : null,
+                'customize'=> current_user_can( 'edit_theme_options' ) ? admin_url( 'customize.php?theme=' . $encoded_slug ) : null,
+                'delete'   => current_user_can( 'delete_themes' ) ? wp_nonce_url( admin_url( 'themes.php?action=delete&stylesheet=' . $encoded_slug ), 'delete-theme_' . $slug ) : null,
             ),
         );

trunk/src/wp-admin/themes.php

@@ -93 +93 @@
     'settings' => array(
         'canInstall'    => ( ! is_multisite() && current_user_can( 'install_themes' ) ),
-        'installURI'    => admin_url( 'theme-install.php' ),
-        'customizeURI'  => ( current_user_can( 'edit_theme_options' ) ) ? wp_customize_url() : null,
+        'installURI'    => ( ! is_multisite() && current_user_can( 'install_themes' ) ) ? admin_url( 'theme-install.php' ) : null,
         'confirmDelete' => __( "Are you sure you want to delete this theme?\n\nClick 'Cancel' to go back, 'OK' to confirm the delete." ),
-        'root'          => '/wp-admin/themes.php',
+        'root'          => admin_url( 'themes.php' ),
         'extraRoutes'   => '',
     ),
@@ -221 +220 @@
     <div class="theme-author"><?php printf( __( 'By %s' ), '{{{ data.author }}}' ); ?></div>
     <h3 class="theme-name">{{ data.name }}</h3>
+
     <div class="theme-actions">
 
     <# if ( data.active ) { #>
-        <span class="current-label"><?php _e( 'Current Theme' ); ?></span>
-        <# if ( wp.themes.data.settings['customizeURI'] ) { #>
-            <a class="button button-primary hide-if-no-customize" href="{{ wp.themes.data.settings['customizeURI'] }}"><?php _e( 'Customize' ); ?></a>
+        <# if ( data.actions['customize'] ) { #>
+            <a class="button button-primary hide-if-no-customize" href="{{ data.actions['customize'] }}"><?php _e( 'Customize' ); ?></a>
         <# } #>
     <# } else { #>
@@ -293 +292 @@
         <div class="active-theme">
             <a href="{{{ wp.themes.data.settings.customizeURI }}}" class="button button-primary hide-if-no-customize"><?php _e( 'Customize' ); ?></a>
-            <?php if( current_theme_supports( 'menus' ) ) { ?>
+            <?php if ( current_theme_supports( 'menus' ) ) { ?>
             <a class="button button-secondary" href="<?php echo admin_url( 'nav-menus.php' ); ?>"><?php _e( 'Menus' ); ?></a>
             <?php } ?>
@@ -301 +300 @@
         </div>
         <div class="inactive-theme">
-            <a href="{{{ data.actions.activate }}}" class="button button-primary"><?php _e( 'Activate' ); ?></a>
+            <# if ( data.actions.activate ) { #>
+                <a href="{{{ data.actions.activate }}}" class="button button-primary"><?php _e( 'Activate' ); ?></a>
+            <# } #>
             <a href="{{{ data.actions.customize }}}" class="button button-secondary"><?php _e( 'Live Preview' ); ?></a>
         </div>
 
-        <# if ( ! data.active ) { #>
+        <# if ( ! data.active && data.actions.delete ) { #>
             <a href="{{{ data.actions.delete }}}" class="delete-theme"><?php _e( 'Delete' ); ?></a>
         <# } #>