From 4e1e4745ff660785fa81d9db982605012bb13a8b Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 16 Nov 2014 06:15:29 +0000 Subject: [PATCH] Switch to a `403` response code in places where it is more appropriate than a `500` due to permissions errors. Fixes #10551 Props nacin git-svn-id: https://develop.svn.wordpress.org/trunk@30356 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/custom-header.php | 6 +++--- src/wp-admin/customize.php | 2 +- src/wp-admin/edit-comments.php | 2 +- src/wp-admin/edit-tags.php | 10 +++++----- src/wp-admin/edit.php | 2 +- src/wp-admin/includes/bookmark.php | 2 +- src/wp-admin/media-upload.php | 4 ++-- src/wp-admin/nav-menus.php | 2 +- src/wp-admin/network/site-users.php | 2 +- src/wp-admin/options.php | 4 ++-- src/wp-admin/post-new.php | 2 +- src/wp-admin/press-this.php | 2 +- src/wp-admin/themes.php | 6 +++--- src/wp-admin/user-new.php | 8 ++++---- src/wp-admin/users.php | 4 ++-- src/wp-admin/widgets.php | 2 +- src/wp-includes/functions.php | 3 +-- 17 files changed, 31 insertions(+), 32 deletions(-) diff --git a/src/wp-admin/custom-header.php b/src/wp-admin/custom-header.php index cbf5018294..2527cc2cec 100644 --- a/src/wp-admin/custom-header.php +++ b/src/wp-admin/custom-header.php @@ -739,7 +739,7 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?> public function step_2() { check_admin_referer('custom-header-upload', '_wpnonce-custom-header-upload'); if ( ! current_theme_supports( 'custom-header', 'uploads' ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); if ( empty( $_POST ) && isset( $_GET['file'] ) ) { $attachment_id = absint( $_GET['file'] ); @@ -890,10 +890,10 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?> check_admin_referer( 'custom-header-crop-image' ); if ( ! current_theme_supports( 'custom-header', 'uploads' ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); if ( ! empty( $_POST['skip-cropping'] ) && ! ( current_theme_supports( 'custom-header', 'flex-height' ) || current_theme_supports( 'custom-header', 'flex-width' ) ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); if ( $_POST['oitar'] > 1 ) { $_POST['x1'] = $_POST['x1'] * $_POST['oitar']; diff --git a/src/wp-admin/customize.php b/src/wp-admin/customize.php index 7ec8f90aed..c78a7cb38d 100644 --- a/src/wp-admin/customize.php +++ b/src/wp-admin/customize.php @@ -13,7 +13,7 @@ define( 'IFRAME_REQUEST', true ); require_once( dirname( __FILE__ ) . '/admin.php' ); if ( ! current_user_can( 'customize' ) ) { - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); } wp_reset_vars( array( 'url', 'return' ) ); diff --git a/src/wp-admin/edit-comments.php b/src/wp-admin/edit-comments.php index 5f289762d6..d1bf2b568d 100644 --- a/src/wp-admin/edit-comments.php +++ b/src/wp-admin/edit-comments.php @@ -9,7 +9,7 @@ /** WordPress Administration Bootstrap */ require_once( dirname( __FILE__ ) . '/admin.php' ); if ( !current_user_can('edit_posts') ) - wp_die(__('Cheatin’ uh?')); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $wp_list_table = _get_list_table('WP_Comments_List_Table'); $pagenum = $wp_list_table->get_pagenum(); diff --git a/src/wp-admin/edit-tags.php b/src/wp-admin/edit-tags.php index 84e56852b5..aa727b59e6 100644 --- a/src/wp-admin/edit-tags.php +++ b/src/wp-admin/edit-tags.php @@ -18,7 +18,7 @@ if ( ! $tax ) wp_die( __( 'Invalid taxonomy' ) ); if ( ! current_user_can( $tax->cap->manage_terms ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $wp_list_table = _get_list_table('WP_Terms_List_Table'); $pagenum = $wp_list_table->get_pagenum(); @@ -47,7 +47,7 @@ case 'add-tag': check_admin_referer( 'add-tag', '_wpnonce_add-tag' ); if ( !current_user_can( $tax->cap->edit_terms ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST ); $location = 'edit-tags.php?taxonomy=' . $taxonomy; @@ -83,7 +83,7 @@ case 'delete': check_admin_referer( 'delete-tag_' . $tag_ID ); if ( !current_user_can( $tax->cap->delete_terms ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); wp_delete_term( $tag_ID, $taxonomy ); @@ -95,7 +95,7 @@ case 'bulk-delete': check_admin_referer( 'bulk-tags' ); if ( !current_user_can( $tax->cap->delete_terms ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $tags = (array) $_REQUEST['delete_tags']; foreach ( $tags as $tag_ID ) { @@ -133,7 +133,7 @@ case 'editedtag': check_admin_referer( 'update-tag_' . $tag_ID ); if ( !current_user_can( $tax->cap->edit_terms ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $tag = get_term( $tag_ID, $taxonomy ); if ( ! $tag ) diff --git a/src/wp-admin/edit.php b/src/wp-admin/edit.php index de0b7d0f56..b5c4cde6ff 100644 --- a/src/wp-admin/edit.php +++ b/src/wp-admin/edit.php @@ -25,7 +25,7 @@ if ( ! $post_type_object ) wp_die( __( 'Invalid post type' ) ); if ( ! current_user_can( $post_type_object->cap->edit_posts ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $wp_list_table = _get_list_table('WP_Posts_List_Table'); $pagenum = $wp_list_table->get_pagenum(); diff --git a/src/wp-admin/includes/bookmark.php b/src/wp-admin/includes/bookmark.php index f7977944ec..b73df8b8aa 100644 --- a/src/wp-admin/includes/bookmark.php +++ b/src/wp-admin/includes/bookmark.php @@ -27,7 +27,7 @@ function add_link() { */ function edit_link( $link_id = 0 ) { if ( !current_user_can( 'manage_links' ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $_POST['link_url'] = esc_html( $_POST['link_url'] ); $_POST['link_url'] = esc_url($_POST['link_url']); diff --git a/src/wp-admin/media-upload.php b/src/wp-admin/media-upload.php index cb871c0c11..114328f134 100644 --- a/src/wp-admin/media-upload.php +++ b/src/wp-admin/media-upload.php @@ -32,10 +32,10 @@ $post_id = isset($post_id)? (int) $post_id : 0; // Require an ID for the edit screen. if ( isset($action) && $action == 'edit' && !$ID ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); if ( ! empty( $_REQUEST['post_id'] ) && ! current_user_can( 'edit_post' , $_REQUEST['post_id'] ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); // Upload type: image, video, file, ..? if ( isset($_GET['type']) ) { diff --git a/src/wp-admin/nav-menus.php b/src/wp-admin/nav-menus.php index 9ab2b1dcde..5f99e720c0 100644 --- a/src/wp-admin/nav-menus.php +++ b/src/wp-admin/nav-menus.php @@ -20,7 +20,7 @@ if ( ! current_theme_supports( 'menus' ) && ! current_theme_supports( 'widgets' // Permissions Check if ( ! current_user_can('edit_theme_options') ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); wp_enqueue_script( 'nav-menu' ); diff --git a/src/wp-admin/network/site-users.php b/src/wp-admin/network/site-users.php index a037c8b871..b5a6ab7259 100644 --- a/src/wp-admin/network/site-users.php +++ b/src/wp-admin/network/site-users.php @@ -133,7 +133,7 @@ if ( $action ) { // If the user doesn't already belong to the blog, bail. if ( !is_user_member_of_blog( $user_id ) ) - wp_die(__('Cheatin’ uh?')); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $user = get_userdata( $user_id ); $user->set_role( $_REQUEST['new_role'] ); diff --git a/src/wp-admin/options.php b/src/wp-admin/options.php index 594a234ff4..6cf5823544 100644 --- a/src/wp-admin/options.php +++ b/src/wp-admin/options.php @@ -45,7 +45,7 @@ if ( empty($option_page) ) { } if ( !current_user_can( $capability ) ) - wp_die(__('Cheatin’ uh?')); + wp_die( __( 'Cheatin’ uh?' ), 403 ); // Handle admin email change requests if ( is_multisite() ) { @@ -69,7 +69,7 @@ if ( is_multisite() ) { } if ( is_multisite() && !is_super_admin() && 'update' != $action ) - wp_die(__('Cheatin’ uh?')); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $whitelist_options = array( 'general' => array( 'blogname', 'blogdescription', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'timezone_string', 'WPLANG' ), diff --git a/src/wp-admin/post-new.php b/src/wp-admin/post-new.php index bfdffaf3a3..d919d55ca1 100644 --- a/src/wp-admin/post-new.php +++ b/src/wp-admin/post-new.php @@ -48,7 +48,7 @@ $title = $post_type_object->labels->add_new_item; $editing = true; if ( ! current_user_can( $post_type_object->cap->edit_posts ) || ! current_user_can( $post_type_object->cap->create_posts ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); // Schedule auto-draft cleanup if ( ! wp_next_scheduled( 'wp_scheduled_auto_draft_delete' ) ) diff --git a/src/wp-admin/press-this.php b/src/wp-admin/press-this.php index 09548bad09..160a286642 100644 --- a/src/wp-admin/press-this.php +++ b/src/wp-admin/press-this.php @@ -14,7 +14,7 @@ require_once( dirname( __FILE__ ) . '/admin.php' ); header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset')); if ( ! current_user_can( 'edit_posts' ) || ! current_user_can( get_post_type_object( 'post' )->cap->create_posts ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); /** * Press It form handler. diff --git a/src/wp-admin/themes.php b/src/wp-admin/themes.php index 5a4dc2c20f..0729f18ed4 100644 --- a/src/wp-admin/themes.php +++ b/src/wp-admin/themes.php @@ -10,14 +10,14 @@ require_once( dirname( __FILE__ ) . '/admin.php' ); if ( !current_user_can('switch_themes') && !current_user_can('edit_theme_options') ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) { if ( 'activate' == $_GET['action'] ) { check_admin_referer('switch-theme_' . $_GET['stylesheet']); $theme = wp_get_theme( $_GET['stylesheet'] ); if ( ! $theme->exists() || ! $theme->is_allowed() ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); switch_theme( $theme->get_stylesheet() ); wp_redirect( admin_url('themes.php?activated=true') ); exit; @@ -25,7 +25,7 @@ if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) { check_admin_referer('delete-theme_' . $_GET['stylesheet']); $theme = wp_get_theme( $_GET['stylesheet'] ); if ( !current_user_can('delete_themes') || ! $theme->exists() ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); delete_theme($_GET['stylesheet']); wp_redirect( admin_url('themes.php?deleted=true') ); exit; diff --git a/src/wp-admin/user-new.php b/src/wp-admin/user-new.php index be3bf6974a..61343735e7 100644 --- a/src/wp-admin/user-new.php +++ b/src/wp-admin/user-new.php @@ -11,9 +11,9 @@ require_once( dirname( __FILE__ ) . '/admin.php' ); if ( is_multisite() ) { if ( ! current_user_can( 'create_users' ) && ! current_user_can( 'promote_users' ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); } elseif ( ! current_user_can( 'create_users' ) ) { - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); } if ( is_multisite() ) { @@ -55,7 +55,7 @@ if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) { } if ( ! current_user_can('promote_user', $user_details->ID) ) - wp_die(__('Cheatin’ uh?')); + wp_die( __( 'Cheatin’ uh?' ), 403 ); // Adding an existing user to this blog $new_user_email = $user_details->user_email; @@ -92,7 +92,7 @@ Please click the following link to confirm the invite: check_admin_referer( 'create-user', '_wpnonce_create-user' ); if ( ! current_user_can('create_users') ) - wp_die(__('Cheatin’ uh?')); + wp_die( __( 'Cheatin’ uh?' ), 403 ); if ( ! is_multisite() ) { $user_id = edit_user(); diff --git a/src/wp-admin/users.php b/src/wp-admin/users.php index c83dbaa644..64f029cd81 100644 --- a/src/wp-admin/users.php +++ b/src/wp-admin/users.php @@ -10,7 +10,7 @@ require_once( dirname( __FILE__ ) . '/admin.php' ); if ( ! current_user_can( 'list_users' ) ) - wp_die( __( 'Cheatin’ uh?' ) ); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $wp_list_table = _get_list_table('WP_Users_List_Table'); $pagenum = $wp_list_table->get_pagenum(); @@ -128,7 +128,7 @@ case 'promote': // If the user doesn't already belong to the blog, bail. if ( is_multisite() && !is_user_member_of_blog( $id ) ) - wp_die(__('Cheatin’ uh?')); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $user = get_userdata( $id ); $user->set_role($_REQUEST['new_role']); diff --git a/src/wp-admin/widgets.php b/src/wp-admin/widgets.php index f4de378ff1..8bfce56b17 100644 --- a/src/wp-admin/widgets.php +++ b/src/wp-admin/widgets.php @@ -13,7 +13,7 @@ require_once( dirname( __FILE__ ) . '/admin.php' ); require_once(ABSPATH . 'wp-admin/includes/widgets.php'); if ( ! current_user_can('edit_theme_options') ) - wp_die( __( 'Cheatin’ uh?' )); + wp_die( __( 'Cheatin’ uh?' ), 403 ); $widgets_access = get_user_setting( 'widgets_access' ); if ( isset($_GET['widgets-access']) ) { diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index a067452764..b77d59ed3d 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -2312,7 +2312,6 @@ function get_allowed_mime_types( $user = null ) { * @param string $action The nonce action. */ function wp_nonce_ays( $action ) { - $title = __( 'WordPress Failure Notice' ); if ( 'log-out' == $action ) { $html = sprintf( __( 'You are attempting to log out of %s' ), get_bloginfo( 'name' ) ) . '

'; $redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : ''; @@ -2323,7 +2322,7 @@ function wp_nonce_ays( $action ) { $html .= "

" . __( 'Please try again.' ) . ""; } - wp_die( $html, $title, array('response' => 403) ); + wp_die( $html, __( 'WordPress Failure Notice' ), 403 ); } /**