Make WordPress Core


Ignore:
Timestamp:
05/20/2020 06:47:24 PM (4 years ago)
Author:
whyisjake
Message:

Security: Add user interface to auto-update themes and plugins.

Building on core update mechanisms, this adds the ability to enable automatic updates for themes and plugins to the WordPress admin.

Fixes: #50052.
Props: afercia, afragen, audrasjb, azaozz, bookdude13, davidperonne, desrosj, gmays, gmays, javiercasares, karmatosed, knutsp, mapk, mukesh27, netweb, nicolaskulka, nielsdeblaauw, paaljoachim, passoniate, pbiron, pedromendonca, whodunitagency, whyisjake, wpamitkumar, and xkon.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ajax-actions.php

    r47818 r47835  
    45684568    check_ajax_referer( 'updates' );
    45694569
     4570    // Ensure after_plugin_row_{$plugin_file} gets hooked.
     4571    wp_plugin_update_rows();
     4572
    45704573    $pagenow = isset( $_POST['pagenow'] ) ? sanitize_key( $_POST['pagenow'] ) : '';
    45714574    if ( 'plugins-network' === $pagenow || 'plugins' === $pagenow ) {
     
    52685271    exit( wp_create_nonce( 'wp_rest' ) );
    52695272}
     5273
     5274/**
     5275 * Ajax handler to enable or disable plugin and theme auto-updates.
     5276 *
     5277 * @since 5.5.0
     5278 */
     5279function wp_ajax_toggle_auto_updates() {
     5280    check_ajax_referer( 'updates' );
     5281
     5282    if ( empty( $_POST['type'] ) || empty( $_POST['asset'] ) || empty( $_POST['state'] ) ) {
     5283        wp_send_json_error( array( 'error' => __( 'Invalid data. No selected item.' ) ) );
     5284    }
     5285
     5286    $asset = sanitize_text_field( urldecode( $_POST['asset'] ) );
     5287
     5288    if ( 'enable' !== $_POST['state'] && 'disable' !== $_POST['state'] ) {
     5289        wp_send_json_error( array( 'error' => __( 'Invalid data. Unknown state.' ) ) );
     5290    }
     5291    $state = $_POST['state'];
     5292
     5293    if ( 'plugin' !== $_POST['type'] && 'theme' !== $_POST['type'] ) {
     5294        wp_send_json_error( array( 'error' => __( 'Invalid data. Unknown type.' ) ) );
     5295    }
     5296    $type = $_POST['type'];
     5297
     5298    switch ( $type ) {
     5299        case 'plugin':
     5300            if ( ! current_user_can( 'update_plugins' ) ) {
     5301                $error_message = __( 'You do not have permission to modify plugins.' );
     5302                wp_send_json_error( array( 'error' => $error_message ) );
     5303            }
     5304
     5305            $option = 'auto_update_plugins';
     5306            /** This filter is documented in wp-admin/includes/class-wp-plugins-list-table.php */
     5307            $all_items = apply_filters( 'all_plugins', get_plugins() );
     5308            break;
     5309        case 'theme':
     5310            if ( ! current_user_can( 'update_themes' ) ) {
     5311                $error_message = __( 'You do not have permission to modify themes.' );
     5312                wp_send_json_error( array( 'error' => $error_message ) );
     5313            }
     5314
     5315            $option    = 'auto_update_themes';
     5316            $all_items = wp_get_themes();
     5317            break;
     5318        default:
     5319            wp_send_json_error( array( 'error' => __( 'Invalid data. Unknown type.' ) ) );
     5320    }
     5321
     5322    if ( ! array_key_exists( $asset, $all_items ) ) {
     5323        $error_message = __( 'Invalid data. The item does not exist.' );
     5324        wp_send_json_error( array( 'error' => $error_message ) );
     5325    }
     5326
     5327    $auto_updates = (array) get_site_option( $option, array() );
     5328
     5329    if ( 'disable' === $state ) {
     5330        $auto_updates = array_diff( $auto_updates, array( $asset ) );
     5331    } else {
     5332        $auto_updates[] = $asset;
     5333        $auto_updates   = array_unique( $auto_updates );
     5334    }
     5335
     5336    // Remove items that have been deleted since the site option was last updated.
     5337    $auto_updates = array_intersect( $auto_updates, array_keys( $all_items ) );
     5338
     5339    update_site_option( $option, $auto_updates );
     5340
     5341    wp_send_json_success();
     5342}
Note: See TracChangeset for help on using the changeset viewer.