Index: wp-login.php =================================================================== --- wp-login.php (revision 21027) +++ wp-login.php (working copy) @@ -82,6 +82,10 @@ $login_header_url = apply_filters( 'login_headerurl', $login_header_url ); $login_header_title = apply_filters( 'login_headertitle', $login_header_title ); + // Don't allow interim logins to navigate away from the page. + if ( $interim_login ) + $login_header_url = '#'; + ?> @@ -126,8 +130,13 @@ * @param string $input_id Which input to auto-focus */ function login_footer($input_id = '') { - ?> + global $interim_login; + + // Don't allow interim logins to navigate away from the page. + if ( ! $interim_login ): ?>

+ + @@ -555,6 +564,9 @@ default: $secure_cookie = ''; $interim_login = isset($_REQUEST['interim-login']); + $customize_login = isset( $_REQUEST['customize-login'] ); + if ( $customize_login ) + wp_enqueue_script( 'customize-base' ); // If the user wants ssl but the session is not ssl, force a secure cookie. if ( !empty($_POST['log']) && !force_ssl_admin() ) { @@ -592,10 +604,18 @@ if ( $interim_login ) { $message = '

' . __('You have logged in successfully.') . '

'; login_header( '', $message ); ?> + +

- + + + + + + + + + +

Index: wp-includes/class-wp-customize-manager.php =================================================================== --- wp-includes/class-wp-customize-manager.php (revision 21027) +++ wp-includes/class-wp-customize-manager.php (working copy) @@ -17,6 +17,8 @@ protected $sections = array(); protected $controls = array(); + protected $nonce_tick; + protected $customized; private $_post_values; @@ -31,6 +33,8 @@ require( ABSPATH . WPINC . '/class-wp-customize-section.php' ); require( ABSPATH . WPINC . '/class-wp-customize-control.php' ); + add_filter( 'wp_die_handler', array( $this, 'wp_die_handler' ) ); + add_action( 'setup_theme', array( $this, 'setup_theme' ) ); add_action( 'wp_loaded', array( $this, 'wp_loaded' ) ); @@ -53,6 +57,43 @@ } /** + * Return true if it's an AJAX request. + * + * @since 3.4.0 + */ + public function doing_ajax() { + return isset( $_POST['customized'] ) || ( defined( 'DOING_AJAX' ) && DOING_AJAX ); + } + + /** + * Custom wp_die wrapper. Returns either the standard message for UI + * or the AJAX message. + * + * @param mixed $ajax_message AJAX return + * @param mixed $message UI message + * + * @since 3.4.0 + */ + private function wp_die( $ajax_message, $message ) { + if ( $this->doing_ajax() ) + wp_die( $ajax_message ); + + wp_die( $message ); + } + + /** + * Return the AJAX wp_die() handler if it's a customized request. + * + * @since 3.4.0 + */ + public function wp_die_handler() { + if ( $this->doing_ajax() ) + return '_ajax_wp_die_handler'; + + return '_default_wp_die_handler'; + } + + /** * Start preview and customize theme. * * Check if customize query variable exist. Init filters to filter the current theme. @@ -60,8 +101,10 @@ * @since 3.4.0 */ public function setup_theme() { - if ( is_admin() && ! defined( 'DOING_AJAX' ) ) - auth_redirect(); + if ( is_admin() && ! $this->doing_ajax() ) + auth_redirect(); + elseif ( $this->doing_ajax() && ! is_user_logged_in() ) + wp_die( 0 ); send_origin_headers(); @@ -71,14 +114,17 @@ // You can't preview a theme if it doesn't exist, or if it is not allowed (unless active). if ( ! $this->theme->exists() ) - wp_die( __( 'Cheatin’ uh?' ) ); + $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); if ( ! current_user_can( 'edit_theme_options' ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + $this->wp_die( -1, __( 'Cheatin’ uh?' ) ); + if ( $this->doing_ajax() && ! defined( 'DOING_AJAX' ) ) // Fire on previews. + $this->nonce_tick = check_ajax_referer( 'customize_preview-' . $this->get_stylesheet(), 'nonce' ); + $this->start_previewing_theme(); show_admin_bar( false ); } @@ -300,6 +346,11 @@ 'backgroundImageHasDefault' => current_theme_supports( 'custom-background', 'default-image' ), ); + if ( 2 == $this->nonce_tick ) { + $settings['customize-controls-nonce'] = wp_create_nonce( 'customize-controls-' . $this->get_stylesheet() ); + $settings['customize-preview-nonce'] = wp_create_nonce( 'customize_preview-' . $this->get_stylesheet() ); + } + foreach ( $this->settings as $id => $setting ) { $settings['values'][ $id ] = $setting->js_value(); } @@ -949,4 +1000,4 @@ return '#' . $unhashed; return $color; -} \ No newline at end of file +} Index: wp-includes/script-loader.php =================================================================== --- wp-includes/script-loader.php (revision 21027) +++ wp-includes/script-loader.php (working copy) @@ -305,6 +305,7 @@ 'saved' => __( 'Saved' ), 'cancel' => __( 'Cancel' ), 'close' => __( 'Close' ), + 'cheatin' => __( 'Cheatin’ uh?' ), ) ); if ( is_admin() ) { Index: wp-admin/customize.php =================================================================== --- wp-admin/customize.php (revision 21027) +++ wp-admin/customize.php (working copy) @@ -7,6 +7,8 @@ * @since 3.4.0 */ +define( 'IFRAME_REQUEST', true ); + require_once( './admin.php' ); if ( ! current_user_can( 'edit_theme_options' ) ) wp_die( __( 'Cheatin’ uh?' ) ); @@ -57,7 +59,8 @@
- get_stylesheet() ); ?> + get_stylesheet(), 'customize-controls-nonce', false ); ?> + get_stylesheet(), 'customize-preview-nonce', false ); ?>
is_theme_active() ? __( 'Save & Publish' ) : __( 'Save & Activate' ); @@ -140,6 +143,11 @@ 'TB_iframe' => 'true' ), home_url( '/' ) ); + $login_url = add_query_arg( array( + 'interim-login' => 1, + 'customize-login' => 1 + ), wp_login_url() ); + $settings = array( 'theme' => array( 'stylesheet' => $wp_customize->get_stylesheet(), @@ -153,6 +161,7 @@ 'allowed' => array_map( 'esc_url', $allowed_urls ), 'isCrossDomain' => $cross_domain, 'fallback' => $fallback_url, + 'login' => $login_url, ), 'browser' => array( 'mobile' => wp_is_mobile(), Index: wp-admin/js/customize-controls.dev.js =================================================================== --- wp-admin/js/customize-controls.dev.js (revision 21027) +++ wp-admin/js/customize-controls.dev.js (working copy) @@ -334,6 +334,18 @@ return; } + // Check if the user is not logged in. + if ( '0' === response ) { + deferred.rejectWith( self, [ 'logged out' ] ); + return; + } + + // Check for cheaters. + if ( '-1' === response ) { + deferred.rejectWith( self, [ 'cheatin' ] ); + return; + } + // Check for a signature in the request. index = response.lastIndexOf( signature ); if ( -1 === index || index < response.lastIndexOf('') ) { @@ -541,7 +553,52 @@ this.loading.fail( function( reason, location ) { if ( 'redirect' === reason && location ) self.url( location ); + + if ( 'logged out' === reason ) { + if ( self.iframe ) { + self.iframe.destroy(); + delete self.iframe; + } + + self.login().done( self.refresh ); + } + + if ( 'cheatin' === reason ) + self.cheatin(); }); + }, + + login: function() { + var previewer = this, + deferred, messenger, iframe; + + if ( this._login ) + return this._login; + + deferred = $.Deferred(); + this._login = deferred.promise(); + + messenger = new api.Messenger({ + channel: 'login', + url: api.settings.url.login + }); + + iframe = $('