WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#20852 closed defect (bug) (fixed)

Theme Customizer: check for existence and allowed usage of previewed theme

Reported by: lancewillett Owned by: nacin
Milestone: 3.4 Priority: normal
Severity: blocker Version:
Component: Customize Keywords: has-patch dev-feedback
Focuses: Cc:
PR Number:

Description (last modified by lancewillett)

Currently Theme Customizer does not check for existence of a given theme based on the theme query variable.

The admin file should throw an error early on if the theme:

  1. Doesn't exist
  2. Isn't allowed for current blog (multisite only)

Patch attached.

Attachments (3)

20852.diff (558 bytes) - added by lancewillett 7 years ago.
20852.2.diff (13.1 KB) - added by nacin 7 years ago.
20852.3.diff (12.3 KB) - added by nacin 7 years ago.

Download all attachments as: .zip

Change History (10)

@lancewillett
7 years ago

#1 @nacin
7 years ago

  • Milestone changed from Awaiting Review to 3.4
  • Severity changed from normal to blocker

#2 @lancewillett
7 years ago

  • Description modified (diff)

#3 @lancewillett
7 years ago

  • Description modified (diff)

#4 @nacin
7 years ago

Seems like there are possibly more holes here, such as through the save() manager method and the manager in general.

I can do a full audit in the morning.

@nacin
7 years ago

@nacin
7 years ago

#5 @nacin
7 years ago

20852.3.diff

Big things:

  • Blocks non-existent or non-allowed themes from being customized, unless the non-allowed theme is the active theme.
  • Fully supports a user having edit_theme_options XOR switch_themes (in both directions).

General changelog:

  • moves manager->theme setup from start_previewing_theme() earlier to setup_theme()
  • removes the $_REQUEST['customize'] check from the manager. I originally moved it to the top of the constructor to fire it earlier, but as the check already occurs when core instantiates it in _wp_customize_include(), we don't need it.
  • Prevents the loader from dealing with customize-support body classes. If you want these, you must use wp_customize_support_script(). This is necessary to allow us to conditionally call wp_customize_support_script() (such as a cap check) without the Loader then overriding our decision.
  • Clarifies URL arguments for deletion/activation and makes customizer nonces theme-specific

#6 @ryan
7 years ago

Looks good. Tested single site and multisite. Tested network deactivate and activate. Tested with different roles.

#7 @nacin
7 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [21010]:

Theme Customizer: Block non-existent or non-allowed themes, unless the non-allowed theme is the active theme. Support a user having edit_theme_options xor switch_themes. fixes #20852.

Note: See TracTickets for help on using tickets.