Opened 12 years ago
Closed 12 years ago
#20852 closed defect (bug) (fixed)
Theme Customizer: check for existence and allowed usage of previewed theme
Reported by: | lancewillett | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.4 | Priority: | normal |
Severity: | blocker | Version: | |
Component: | Customize | Keywords: | has-patch dev-feedback |
Focuses: | Cc: |
Description (last modified by )
Currently Theme Customizer does not check for existence of a given theme based on the theme
query variable.
The admin file should throw an error early on if the theme:
- Doesn't exist
- Isn't allowed for current blog (multisite only)
Patch attached.
Attachments (3)
Change History (10)
#1
@
12 years ago
- Milestone changed from Awaiting Review to 3.4
- Severity changed from normal to blocker
#5
@
12 years ago
Big things:
- Blocks non-existent or non-allowed themes from being customized, unless the non-allowed theme is the active theme.
- Fully supports a user having edit_theme_options XOR switch_themes (in both directions).
General changelog:
- moves manager->theme setup from start_previewing_theme() earlier to setup_theme()
- removes the
$_REQUEST['customize']
check from the manager. I originally moved it to the top of the constructor to fire it earlier, but as the check already occurs when core instantiates it in _wp_customize_include(), we don't need it. - Prevents the loader from dealing with customize-support body classes. If you want these, you must use wp_customize_support_script(). This is necessary to allow us to conditionally call wp_customize_support_script() (such as a cap check) without the Loader then overriding our decision.
- Clarifies URL arguments for deletion/activation and makes customizer nonces theme-specific
Note: See
TracTickets for help on using
tickets.
Seems like there are possibly more holes here, such as through the save() manager method and the manager in general.
I can do a full audit in the morning.