Changeset 38168

Timestamp:

07/27/2016 05:42:01 PM (8 years ago)

Author:

ocean90

Message:

Plugins: Move capability checks further up in wp_ajax_update_plugin() and wp_ajax_delete_plugin().

Add tests for both Ajax handlers.

Props Yorick Koster, swissspidy.
Fixes #37490.

Location:

trunk

Files:

• src/wp-admin/includes/ajax-actions.php (modified) (2 diffs)
• src/wp-admin/js/updates.js (modified) (4 diffs)
• tests/phpunit/includes/testcase-ajax.php (modified) (4 diffs)
• tests/phpunit/tests/ajax/DeletePlugin.php (added)
• tests/phpunit/tests/ajax/UpdatePlugin.php (added)

trunk/src/wp-admin/includes/ajax-actions.php

@@ -3654 +3654 @@
     }
 
-    $plugin      = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
-    $plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+    $plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
 
     $status = array(
         'update'     => 'plugin',
-        'plugin'     => $plugin,
         'slug'       => sanitize_key( wp_unslash( $_POST['slug'] ) ),
-        'pluginName' => $plugin_data['Name'],
         'oldVersion' => '',
         'newVersion' => '',
     );
 
+    if ( ! current_user_can( 'update_plugins' ) || 0 !== validate_file( $plugin ) ) {
+        $status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
+        wp_send_json_error( $status );
+    }
+
+    $plugin_data          = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+    $status['plugin']     = $plugin;
+    $status['pluginName'] = $plugin_data['Name'];
+
     if ( $plugin_data['Version'] ) {
         /* translators: %s: Plugin version */
         $status['oldVersion'] = sprintf( __( 'Version %s' ), $plugin_data['Version'] );
-    }
-
-    if ( ! current_user_can( 'update_plugins' ) ) {
-        $status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
-        wp_send_json_error( $status );
     }
 
@@ -3749 +3750 @@
 
     if ( empty( $_POST['slug'] ) || empty( $_POST['plugin'] ) ) {
-        wp_send_json_error( array( 'errorCode' => 'no_plugin_specified' ) );
-    }
-
-    $plugin      = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
-    $plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+        wp_send_json_error( array(
+            'slug'         => '',
+            'errorCode'    => 'no_plugin_specified',
+            'errorMessage' => __( 'No plugin specified.' ),
+        ) );
+    }
+
+    $plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
 
     $status = array(
-        'delete'     => 'plugin',
-        'slug'       => sanitize_key( wp_unslash( $_POST['slug'] ) ),
-        'plugin'     => $plugin,
-        'pluginName' => $plugin_data['Name'],
+        'delete' => 'plugin',
+        'slug'   => sanitize_key( wp_unslash( $_POST['slug'] ) ),
     );
 
-    if ( ! current_user_can( 'delete_plugins' ) ) {
+    if ( ! current_user_can( 'delete_plugins' ) || 0 !== validate_file( $plugin ) ) {
         $status['errorMessage'] = __( 'Sorry, you are not allowed to delete plugins for this site.' );
         wp_send_json_error( $status );
     }
+
+    $plugin_data          = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+    $status['plugin']     = $plugin;
+    $status['pluginName'] = $plugin_data['Name'];
 
     if ( is_plugin_active( $plugin ) ) {

trunk/src/wp-admin/js/updates.js

@@ -448 +448 @@
 
         if ( 'plugins' === pagenow || 'plugins-network' === pagenow ) {
-            $message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
+            if ( response.plugin ) {
+                $message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
+            } else {
+                $message = $( 'tr[data-slug="' + response.slug + '"]' ).find( '.update-message' );
+            }
             $message.removeClass( 'updating-message notice-warning' ).addClass( 'notice-error' ).find( 'p' ).html( errorMessage );
         } else if ( 'plugin-install' === pagenow || 'plugin-install-network' === pagenow ) {
@@ -459 +463 @@
 
             $card.find( '.update-now' )
-                .attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) )
                 .text( wp.updates.l10n.updateFailedShort ).removeClass( 'updating-message' );
+
+            if ( response.pluginName ) {
+                $card.find( '.update-now' )
+                    .attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) );
+            }
 
             $card.on( 'click', '.notice.is-dismissible .notice-dismiss', function() {
@@ -815 +823 @@
      */
     wp.updates.deletePluginError = function( response ) {
-        var $plugin          = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' ),
+        var $plugin, $pluginUpdateRow,
             pluginUpdateRow  = wp.template( 'item-update-row' ),
-            $pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' ),
             noticeContent    = wp.updates.adminNotice( {
                 className: 'update-message notice-error notice-alt',
                 message:   response.errorMessage
             } );
+
+        if ( response.plugin ) {
+            $plugin          = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' );
+            $pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' );
+        } else {
+            $plugin          = $( 'tr.inactive[data-slug="' + response.slug + '"]' );
+            $pluginUpdateRow = $plugin.siblings( '[data-slug="' + response.slug + '"]' );
+        }
 
         if ( ! wp.updates.isValidResponse( response, 'delete' ) ) {
@@ -836 +851 @@
                 pluginUpdateRow( {
                     slug:    response.slug,
-                    plugin:  response.plugin,
+                    plugin:  response.plugin || response.slug,
                     colspan: $( '#bulk-action-form' ).find( 'thead th:not(.hidden), thead td' ).length,
                     content: noticeContent

trunk/tests/phpunit/includes/testcase-ajax.php

@@ -19 +19 @@
     /**
      * Last AJAX response.  This is set via echo -or- wp_die.
-     * @var type
+     * @var string
      */
     protected $_last_response = '';
@@ -25 +25 @@
     /**
      * List of ajax actions called via POST
-     * @var type
+     * @var array
      */
     protected static $_core_actions_get = array(
@@ -40 +40 @@
     /**
      * List of ajax actions called via GET
-     * @var type
+     * @var array
      */
     protected static $_core_actions_post = array(
@@ -54 +54 @@
         'save-user-color-scheme', 'update-widget', 'query-themes', 'parse-embed', 'set-attachment-thumbnail',
         'parse-media-shortcode', 'destroy-sessions', 'install-plugin', 'update-plugin', 'press-this-save-post',
-        'press-this-add-category', 'crop-image', 'generate-password',
+        'press-this-add-category', 'crop-image', 'generate-password', 'save-wporg-username', 'delete-plugin',
+        'search-plugins', 'search-install-plugins', 'activate-plugin', 'update-theme', 'delete-theme',
+        'install-theme', 'get-post-thumbnail-html',
     );