From 66fb039ffe5c7b2fb88af69b13699ac904c4dab1 Mon Sep 17 00:00:00 2001 From: Dion Hulse Date: Fri, 29 Nov 2013 09:00:23 +0000 Subject: [PATCH] Themes: Do extra Cap checks before outputting links, and use full URI's. See #25948 git-svn-id: https://develop.svn.wordpress.org/trunk@26470 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/theme.php | 8 ++++---- src/wp-admin/themes.php | 19 ++++++++++--------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/wp-admin/includes/theme.php b/src/wp-admin/includes/theme.php index 898b1cd016..9ae4fe5f74 100644 --- a/src/wp-admin/includes/theme.php +++ b/src/wp-admin/includes/theme.php @@ -142,7 +142,7 @@ function get_theme_update_available( $theme ) { $update = $themes_update->response[ $stylesheet ]; $theme_name = $theme->display('Name'); $details_url = add_query_arg(array('TB_iframe' => 'true', 'width' => 1024, 'height' => 800), $update['url']); //Theme browser inside WP? replace this, Also, theme preview JS will override this on the available list. - $update_url = wp_nonce_url('update.php?action=upgrade-theme&theme=' . urlencode($stylesheet), 'upgrade-theme_' . $stylesheet); + $update_url = wp_nonce_url( admin_url( 'update.php?action=upgrade-theme&theme=' . urlencode( $stylesheet ) ), 'upgrade-theme_' . $stylesheet ); $update_onclick = 'onclick="if ( confirm(\'' . esc_js( __("Updating this theme will lose any customizations you have made. 'Cancel' to stop, 'OK' to update.") ) . '\') ) {return true;}return false;"'; if ( !is_multisite() ) { @@ -414,9 +414,9 @@ function wp_prepare_themes_for_js( $themes = null ) { 'hasUpdate' => isset( $updates[ $slug ] ), 'update' => get_theme_update_available( $theme ), 'actions' => array( - 'activate' => wp_nonce_url( 'themes.php?action=activate&stylesheet=' . $encoded_slug, 'switch-theme_' . $slug ), - 'customize'=> admin_url( 'customize.php?theme=' . $encoded_slug ), - 'delete' => wp_nonce_url( 'themes.php?action=delete&stylesheet=' . $encoded_slug, 'delete-theme_' . $slug ), + 'activate' => current_user_can( 'switch_themes' ) ? wp_nonce_url( admin_url( 'themes.php?action=activate&stylesheet=' . $encoded_slug ), 'switch-theme_' . $slug ) : null, + 'customize'=> current_user_can( 'edit_theme_options' ) ? admin_url( 'customize.php?theme=' . $encoded_slug ) : null, + 'delete' => current_user_can( 'delete_themes' ) ? wp_nonce_url( admin_url( 'themes.php?action=delete&stylesheet=' . $encoded_slug ), 'delete-theme_' . $slug ) : null, ), ); } diff --git a/src/wp-admin/themes.php b/src/wp-admin/themes.php index 61c1ca00df..2039e68b9f 100644 --- a/src/wp-admin/themes.php +++ b/src/wp-admin/themes.php @@ -92,10 +92,9 @@ wp_localize_script( 'theme', '_wpThemeSettings', array( 'themes' => $themes, 'settings' => array( 'canInstall' => ( ! is_multisite() && current_user_can( 'install_themes' ) ), - 'installURI' => admin_url( 'theme-install.php' ), - 'customizeURI' => ( current_user_can( 'edit_theme_options' ) ) ? wp_customize_url() : null, + 'installURI' => ( ! is_multisite() && current_user_can( 'install_themes' ) ) ? admin_url( 'theme-install.php' ) : null, 'confirmDelete' => __( "Are you sure you want to delete this theme?\n\nClick 'Cancel' to go back, 'OK' to confirm the delete." ), - 'root' => '/wp-admin/themes.php', + 'root' => admin_url( 'themes.php' ), 'extraRoutes' => '', ), 'l10n' => array( @@ -220,12 +219,12 @@ if ( ! is_multisite() && current_user_can('edit_themes') && $broken_themes = wp_

{{ data.name }}

+
<# if ( data.active ) { #> - - <# if ( wp.themes.data.settings['customizeURI'] ) { #> - + <# if ( data.actions['customize'] ) { #> + <# } #> <# } else { #> @@ -292,7 +291,7 @@ if ( ! is_multisite() && current_user_can('edit_themes') && $broken_themes = wp_
- + @@ -300,11 +299,13 @@ if ( ! is_multisite() && current_user_can('edit_themes') && $broken_themes = wp_
- + <# if ( data.actions.activate ) { #> + + <# } #>
- <# if ( ! data.active ) { #> + <# if ( ! data.active && data.actions.delete ) { #> <# } #>