Changeset 56850
- Timestamp:
- 10/12/2023 02:21:47 PM (14 months ago)
- Location:
- branches/4.1/src
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.1/src/wp-admin/includes/ajax-actions.php
r55772 r56850 829 829 wp_die( 0 ); 830 830 } 831 831 832 832 if ( ! current_user_can( $tax->cap->assign_terms ) ) { 833 833 wp_die( -1 ); … … 2768 2768 } 2769 2769 2770 setup_postdata( $post ); 2771 $shortcode = do_shortcode( wp_unslash( $_POST['shortcode'] ) ); 2770 $shortcode = wp_unslash( $_POST['shortcode'] ); 2771 2772 // Only process previews for media related shortcodes: 2773 $found_shortcodes = get_shortcode_tags_in_content( $shortcode ); 2774 $media_shortcodes = array( 2775 'audio', 2776 'embed', 2777 'playlist', 2778 'video', 2779 'gallery', 2780 ); 2781 2782 $other_shortcodes = array_diff( $found_shortcodes, $media_shortcodes ); 2783 2784 if ( ! empty( $other_shortcodes ) ) { 2785 wp_send_json_error(); 2786 } 2787 2788 if ( ! empty( $_POST['post_ID'] ) ) { 2789 $post = get_post( (int) $_POST['post_ID'] ); 2790 } 2791 2792 // the embed shortcode requires a post 2793 if ( ! $post || ! current_user_can( 'edit_post', $post->ID ) ) { 2794 if ( in_array( 'embed', $found_shortcodes, true ) ) { 2795 wp_send_json_error(); 2796 } 2797 } else { 2798 setup_postdata( $post ); 2799 } 2772 2800 2773 2801 if ( empty( $shortcode ) ) { … … 2836 2864 } else { 2837 2865 $sessions->destroy_all(); 2838 /* translators: 1: User's display name. */ 2866 /* translators: 1: User's display name. */ 2839 2867 $message = sprintf( __( '%s has been logged out.' ), $user->display_name ); 2840 2868 } -
branches/4.1/src/wp-admin/includes/class-wp-comments-list-table.php
r32176 r56850 363 363 $this->user_can = current_user_can( 'edit_comment', $comment->comment_ID ); 364 364 365 $edit_post_cap = $post ? 'edit_post' : 'edit_posts'; 366 if ( 367 current_user_can( $edit_post_cap, $comment->comment_post_ID ) || 368 ( 369 empty( $post->post_password ) && 370 current_user_can( 'read_post', $comment->comment_post_ID ) 371 ) 372 ) { 373 // The user has access to the post 374 } else { 375 return false; 376 } 377 365 378 echo "<tr id='comment-$comment->comment_ID' class='$the_comment_class'>"; 366 379 $this->single_row_columns( $comment ); -
branches/4.1/src/wp-admin/includes/class-wp-list-table.php
r30679 r56850 574 574 $pending_phrase = sprintf( __( '%s pending' ), number_format( $pending_comments ) ); 575 575 576 $post_object = get_post( $post_id ); 577 $edit_post_cap = $post_object ? 'edit_post' : 'edit_posts'; 578 if ( 579 current_user_can( $edit_post_cap, $post_id ) || 580 ( 581 empty( $post_object->post_password ) && 582 current_user_can( 'read_post', $post_id ) 583 ) 584 ) { 585 // The user has access to the post and thus can see comments 586 } else { 587 return false; 588 } 589 576 590 if ( $pending_comments ) 577 591 echo '<strong>'; -
branches/4.1/src/wp-admin/includes/dashboard.php
r33375 r56850 779 779 780 780 echo '<div id="the-comment-list" data-wp-lists="list:comment">'; 781 foreach ( $comments as $comment ) 782 _wp_dashboard_recent_comments_row( $comment ); 781 foreach ( $comments as $comment ) { 782 $comment_post = get_post( $comment->comment_post_ID ); 783 if ( 784 current_user_can( 'edit_post', $comment->comment_post_ID ) || 785 ( 786 empty( $comment_post->post_password ) && 787 current_user_can( 'read_post', $comment->comment_post_ID ) 788 ) 789 ) { 790 _wp_dashboard_recent_comments_row( $comment ); 791 } 792 } 783 793 echo '</div>'; 784 794 -
branches/4.1/src/wp-includes/class-wp-theme.php
r39815 r56850 478 478 479 479 /** 480 * Perform reinitialization tasks. 481 * 482 * Prevents a callback from being injected during unserialization of an object. 483 * 484 * @return void 485 */ 486 public function __wakeup() { 487 if ( $this->parent && ! $this->parent instanceof self ) { 488 throw new UnexpectedValueException(); 489 } 490 if ( $this->headers && ! is_array( $this->headers ) ) { 491 throw new UnexpectedValueException(); 492 } 493 foreach ( $this->headers as $value ) { 494 if ( ! is_string( $value ) ) { 495 throw new UnexpectedValueException(); 496 } 497 } 498 $this->headers_sanitized = array(); 499 } 500 501 /** 480 502 * Adds theme data to cache. 481 503 * … … 1233 1255 return strnatcasecmp( $a->display( 'Name', false, true ), $b->display( 'Name', false, true ) ); 1234 1256 } 1257 1258 private static function _check_headers_property_has_correct_type( $headers ) { 1259 if ( ! is_array( $headers ) ) { 1260 return false; 1261 } 1262 foreach ( $headers as $key => $value ) { 1263 if ( ! is_string( $key ) || ! is_string( $value ) ) { 1264 return false; 1265 } 1266 } 1267 return true; 1268 } 1235 1269 } -
branches/4.1/src/wp-includes/media.php
r55772 r56850 975 975 } 976 976 } elseif ( ! empty( $atts['exclude'] ) ) { 977 $post_parent_id = $id; 977 978 $attachments = get_children( array( 'post_parent' => $id, 'exclude' => $atts['exclude'], 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 978 979 } else { 980 $post_parent_id = $id; 979 981 $attachments = get_children( array( 'post_parent' => $id, 'post_status' => 'inherit', 'post_type' => 'attachment', 'post_mime_type' => 'image', 'order' => $atts['order'], 'orderby' => $atts['orderby'] ) ); 982 } 983 984 if ( ! empty( $post_parent_id ) ) { 985 $post_parent = get_post( $post_parent_id ); 986 987 // terminate the shortcode execution if user cannot read the post or password-protected 988 if ( 989 ( ! is_post_publicly_viewable( $post_parent->ID ) && ! current_user_can( 'read_post', $post_parent->ID ) ) 990 || post_password_required( $post_parent ) ) { 991 return ''; 992 } 980 993 } 981 994 … … 1269 1282 } 1270 1283 1284 if ( ! empty( $args['post_parent'] ) ) { 1285 $post_parent = get_post( $id ); 1286 1287 // terminate the shortcode execution if user cannot read the post or password-protected 1288 if ( ! current_user_can( 'read_post', $post_parent->ID ) || post_password_required( $post_parent ) ) { 1289 return ''; 1290 } 1291 } 1292 1271 1293 if ( empty( $attachments ) ) { 1272 1294 return ''; -
branches/4.1/src/wp-includes/shortcodes.php
r34146 r56850 171 171 172 172 /** 173 * Search content for shortcodes and filter shortcodes through their hooks. 173 * Returns a list of registered shortcode names found in the given content. 174 * 175 * Example usage: 176 * 177 * get_shortcode_tags_in_content( '[audio src="file.mp3"][/audio] [foo] [gallery ids="1,2,3"]' ); 178 * // array( 'audio', 'gallery' ) 179 * 180 * @since 6.3.2 181 * 182 * @param string $content The content to check. 183 * @return string[] An array of registered shortcode names found in the content. 184 */ 185 function get_shortcode_tags_in_content( $content ) { 186 if ( false === strpos( $content, '[' ) ) { 187 return array(); 188 } 189 190 preg_match_all( '/' . get_shortcode_regex() . '/', $content, $matches, PREG_SET_ORDER ); 191 if ( empty( $matches ) ) { 192 return array(); 193 } 194 195 $tags = array(); 196 foreach ( $matches as $shortcode ) { 197 $tags[] = $shortcode[2]; 198 199 if ( ! empty( $shortcode[5] ) ) { 200 $deep_tags = get_shortcode_tags_in_content( $shortcode[5] ); 201 if ( ! empty( $deep_tags ) ) { 202 $tags = array_merge( $tags, $deep_tags ); 203 } 204 } 205 } 206 207 return $tags; 208 } 209 210 /** 211 * Searches content for shortcodes and filter shortcodes through their hooks. 174 212 * 175 213 * If there are no shortcode tags defined, then the content will be returned
Note: See TracChangeset
for help on using the changeset viewer.