WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#5262 closed enhancement (wontfix)

Theme editor should allow creation of files.

Reported by: youngmicroserf Owned by:
Milestone: Priority: normal
Severity: minor Version: 2.3
Component: Administration Keywords: admin theme theme-editor
Focuses: Cc:

Description

I find it annoying that the built in theme editor doesn't allow the creation of files, say, a specific category template, but that I have to resort to my ftp programme to do so.

Change History (15)

comment:1 @santosj7 years ago

I think that would be a very bad idea for something that is built in. If anyone was able to gain access to that section, they would own you.

comment:2 @foolswisdom7 years ago

santosj, if they only can create files in the theme directory, how are you any more owned then you already are?

comment:3 follow-up: @santosj7 years ago

Yeah, they can still include the wp-config.php and totally pwn the server without their mad skillz.

Creating files should only be allowed by FTP only. For security. Unless you like, want other people to be able to customize their stuff and use other themes. It might be a pain, but you know because I don't really.

comment:4 in reply to: ↑ 3 @foolswisdom7 years ago

Replying to santosj:

Yeah, they can still include the wp-config.php and totally pwn the server without their mad skillz.

I still don't understand. They could *already* edit an existing theme file to do just that.

comment:5 @Otto427 years ago

We're talking about editing PHP code directly here. If they want to create a file, they can create any file they like. Edit the functions.php file in the theme and add this:

$filename = 'wp-content/themes/themename/whatever.php';
if (!file_exists($filename)) {
$file = fopen($filename, "w");
fwrite($file, '<?php bad_code() ?>');
fclose($file);
}

Done and done. Very next page load, functions.php is loaded and the file is created (assuming permissions are allowable to do that). I've used this trick to create files in the theme directory and then edited them directly using the editor before.

There is no security added by not being directly allowed to create files. If you can edit the code, you can create files as well.

comment:6 follow-up: @darkdragon7 years ago

I'm saying it would be helpful for hardcore FTP uploaders, like me, if that capability was completely removable. I don't use the edit theme or plugin mis-feature.

comment:7 in reply to: ↑ 6 @rob1n7 years ago

Replying to darkdragon:

I'm saying it would be helpful for hardcore FTP uploaders, like me, if that capability was completely removable. I don't use the edit theme or plugin mis-feature.

Wouldn't make a difference to you if you don't use it anyways, right?

comment:8 @rob1n7 years ago

And on the main subject at hand, I don't think that creation of files would be an useful addition. The built-in editors are pretty useless anyways, apart from quick, casual edits. Doesn't really make sense to spend time to extend functionality that is already of little use.

comment:9 @jaredbangs7 years ago

I think it's probably a bad idea for any directory in the wp install to be writable, because of similar issues to those we discussed recently in #5174.

Of course you have to allow the uploads directory to be writable if you want to support uploads (from within WP), but even that opens up the possibility of weird stuff happening by a misbehaved plugin.

It's kind of a mute point in most cases, I guess, though, since I suspect that for most WP installs the directories are all left writable by the web server, and most people probably also don't inspect all the plugin code they add to their blogs to make sure they're not doing something nasty.

I'm actually a bit surprised that I haven't heard of plugins and/or themes doing stuff like this, but I guess the whole sponsored theme thing recently was similar, in terms of what lengths they were going to to try to cover their tracks.

comment:10 @Otto427 years ago

All I'm saying is that code editing = code adding, basically. Fro those of us that do use it and find it useful, it would be nice to not have to resort to silly hacks like I posted before. I mean, really, if you have role/capability to edit code, then adding new files is the same basic thing.

comment:11 @darkdragon7 years ago

Kidding aside, you are trying to add something that is better left to other devices. HTTP uploading is okay, because it solves the difficulty of FTP and needing a FTP client.

Editors are okay for those who can't write HTML proficiently and need to resort to such things. However the illustration of the point is that the WordPress editor is not as good and never will be as good as Dreamweaver, etc. You could argue that we should make it as close, but I don't see anyone spending that long of a time doing so.

Once you open up creating files, you open up the discussion to create a file manager and that my friends is something that is better left to applications that are built specifically for that purpose and that purpose alone.

Reproducing such things is nice, but file managers already exist. I don't see difficult it is to, I don't know, open up dreamweaver, PDT, whatever, and create and edit the files in that fashion.

The argument would be for something like WordPress.com (and I doubt they'll open that without heavy restrictions) where you'll want people to create files and manage them. If you were to add them, you'll be reinventing a wheel that many other web applications have already replicated.

If your desire is to have fun and play around with such concepts, then by all means do not listen to me (I do the same thing by the way for the sake of fun). However, advocating something that sucks to make it suck less doesn't seem logical if the result is still that the feature sucks.

comment:12 follow-up: @foolswisdom7 years ago

The reality is that many, many people do minor tweaks to their theme from that interface -- hard to believe, yes, but I have witnessed it! This can hardly be called a mis-feature, santosj/darkdragon.

This sounds interesting, but I think more interesting is first
Pimping the theme/plugin editors, but alas no one has risen to the call ;-)

comment:13 @darkdragon7 years ago

The only thing you've convinced me of, is that if I didn't already have too much to do, I would try it... as a plugin. File Managers would be sexy and I like sexy. However I do think that #5259 should be included in such a plugin.

Hmm, this could quite become a feature of a project I'm planning on working on when I get bored of documentation writing. So many things that would be fun to do but so little time.

Good luck to anyone that makes this a plugin.

comment:14 in reply to: ↑ 12 @Otto427 years ago

Replying to foolswisdom:

The reality is that many, many people do minor tweaks to their theme from that interface -- hard to believe, yes, but I have witnessed it! This can hardly be called a mis-feature, santosj/darkdragon.

I gotta agree here. For one thing, I use this simple text editing functionalitu all the time. It's extremely handy to be able to change things and/or play around with plugin code on the fly. You simply have to not make any mistakes. :)

comment:15 @azaozz7 years ago

  • Milestone 2.6 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Closing as wontfix. At best - plugin territory.

Note: See TracTickets for help on using tickets.