Theme Customizer: Block non-existent or non-allowed themes, unless the non-allowed theme is the active theme. Support a user having edit_theme_options xor switch_themes. fixes #20852.
git-svn-id: https://develop.svn.wordpress.org/trunk@21010 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
8f4c41a2dd
commit
7996c82427
@ -102,7 +102,7 @@ $admin_body_class .= ' no-customize-support';
|
||||
<?php
|
||||
// If the customize-loader script is enqueued, make sure the customize
|
||||
// body classes are correct as early as possible.
|
||||
if ( wp_script_is( 'customize-loader', 'queue' ) )
|
||||
if ( wp_script_is( 'customize-loader', 'queue' ) && current_user_can( 'edit_theme_options' ) )
|
||||
wp_customize_support_script();
|
||||
?>
|
||||
|
||||
|
@ -13,11 +13,6 @@ if ( ! current_user_can( 'edit_theme_options' ) )
|
||||
|
||||
global $wp_scripts, $wp_customize;
|
||||
|
||||
wp_reset_vars( array( 'theme' ) );
|
||||
|
||||
if ( ! $theme )
|
||||
$theme = get_stylesheet();
|
||||
|
||||
$registered = $wp_scripts->registered;
|
||||
$wp_scripts = new WP_Scripts;
|
||||
$wp_scripts->registered = $registered;
|
||||
@ -48,7 +43,7 @@ do_action( 'customize_controls_print_scripts' );
|
||||
</head>
|
||||
<body class="wp-full-overlay">
|
||||
<form id="customize-controls" class="wrap wp-full-overlay-sidebar">
|
||||
<?php wp_nonce_field( 'customize_controls' ); ?>
|
||||
<?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
|
||||
<div id="customize-header-actions" class="wp-full-overlay-header">
|
||||
<?php
|
||||
$save_text = $wp_customize->is_theme_active() ? __( 'Save & Publish' ) : __( 'Save & Activate' );
|
||||
|
@ -125,21 +125,25 @@ class WP_Themes_List_Table extends WP_List_Table {
|
||||
$version = $theme->display('Version');
|
||||
$author = $theme->display('Author');
|
||||
|
||||
$activate_link = wp_nonce_url( "themes.php?action=activate&template=" . urlencode( $template ) . "&stylesheet=" . urlencode( $stylesheet ), 'switch-theme_' . $template );
|
||||
$activate_link = wp_nonce_url( "themes.php?action=activate&template=" . urlencode( $template ) . "&stylesheet=" . urlencode( $stylesheet ), 'switch-theme_' . $stylesheet );
|
||||
|
||||
$preview_link = esc_url( add_query_arg(
|
||||
array( 'preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'preview_iframe' => true, 'TB_iframe' => 'true' ),
|
||||
home_url( '/' ) ) );
|
||||
|
||||
$actions = array();
|
||||
$actions[] = '<a href="' . $activate_link . '" class="activatelink" title="'
|
||||
$actions['activate'] = '<a href="' . $activate_link . '" class="activatelink" title="'
|
||||
. esc_attr( sprintf( __( 'Activate “%s”' ), $title ) ) . '">' . __( 'Activate' ) . '</a>';
|
||||
$actions[] = '<a href="' . $preview_link . '" class="hide-if-customize" title="'
|
||||
. esc_attr( sprintf( __( 'Preview “%s”' ), $title ) ) . '">' . __( 'Preview' ) . '</a>'
|
||||
. '<a href="' . wp_customize_url( $stylesheet ) . '" class="load-customize hide-if-no-customize">'
|
||||
|
||||
$actions['preview'] = '<a href="' . $preview_link . '" class="hide-if-customize" title="'
|
||||
. esc_attr( sprintf( __( 'Preview “%s”' ), $title ) ) . '">' . __( 'Preview' ) . '</a>';
|
||||
|
||||
if ( current_user_can( 'edit_theme_options' ) )
|
||||
$actions['preview'] .= '<a href="' . wp_customize_url( $stylesheet ) . '" class="load-customize hide-if-no-customize">'
|
||||
. __( 'Live Preview' ) . '</a>';
|
||||
|
||||
if ( ! is_multisite() && current_user_can( 'delete_themes' ) )
|
||||
$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&template=$stylesheet", 'delete-theme_' . $stylesheet )
|
||||
$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&stylesheet=$stylesheet", 'delete-theme_' . $stylesheet )
|
||||
. '" onclick="' . "return confirm( '" . esc_js( sprintf( __( "You are about to delete this theme '%s'\n 'Cancel' to stop, 'OK' to delete." ), $title ) )
|
||||
. "' );" . '">' . __( 'Delete' ) . '</a>';
|
||||
|
||||
|
@ -11,19 +11,19 @@
|
||||
*
|
||||
* @since 2.8.0
|
||||
*
|
||||
* @param string $template Template directory of the theme to delete
|
||||
* @param string $stylesheet Stylesheet of the theme to delete
|
||||
* @param string $redirect Redirect to page when complete.
|
||||
* @return mixed
|
||||
*/
|
||||
function delete_theme($template, $redirect = '') {
|
||||
function delete_theme($stylesheet, $redirect = '') {
|
||||
global $wp_filesystem;
|
||||
|
||||
if ( empty($template) )
|
||||
if ( empty($stylesheet) )
|
||||
return false;
|
||||
|
||||
ob_start();
|
||||
if ( empty( $redirect ) )
|
||||
$redirect = wp_nonce_url('themes.php?action=delete&template=' . $template, 'delete-theme_' . $template);
|
||||
$redirect = wp_nonce_url('themes.php?action=delete&stylesheet=' . $stylesheet, 'delete-theme_' . $stylesheet);
|
||||
if ( false === ($credentials = request_filesystem_credentials($redirect)) ) {
|
||||
$data = ob_get_contents();
|
||||
ob_end_clean();
|
||||
@ -61,11 +61,11 @@ function delete_theme($template, $redirect = '') {
|
||||
return new WP_Error('fs_no_themes_dir', __('Unable to locate WordPress theme directory.'));
|
||||
|
||||
$themes_dir = trailingslashit( $themes_dir );
|
||||
$theme_dir = trailingslashit($themes_dir . $template);
|
||||
$theme_dir = trailingslashit($themes_dir . $stylesheet);
|
||||
$deleted = $wp_filesystem->delete($theme_dir, true);
|
||||
|
||||
if ( ! $deleted )
|
||||
return new WP_Error('could_not_remove_theme', sprintf(__('Could not fully remove the theme %s.'), $template) );
|
||||
return new WP_Error('could_not_remove_theme', sprintf(__('Could not fully remove the theme %s.'), $stylesheet) );
|
||||
|
||||
// Force refresh of theme update information
|
||||
delete_site_transient('update_themes');
|
||||
|
@ -16,15 +16,19 @@ $wp_list_table = _get_list_table('WP_Themes_List_Table');
|
||||
|
||||
if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) {
|
||||
if ( 'activate' == $_GET['action'] ) {
|
||||
check_admin_referer('switch-theme_' . $_GET['template']);
|
||||
check_admin_referer('switch-theme_' . $_GET['stylesheet']);
|
||||
$theme = wp_get_theme( $_GET['stylesheet'] );
|
||||
if ( ! $theme->exists() || ! $theme->is_allowed() )
|
||||
wp_die( __( 'Cheatin’ uh?' ) );
|
||||
switch_theme($_GET['template'], $_GET['stylesheet']);
|
||||
wp_redirect( admin_url('themes.php?activated=true') );
|
||||
exit;
|
||||
} elseif ( 'delete' == $_GET['action'] ) {
|
||||
check_admin_referer('delete-theme_' . $_GET['template']);
|
||||
if ( !current_user_can('delete_themes') )
|
||||
check_admin_referer('delete-theme_' . $_GET['stylesheet']);
|
||||
$theme = wp_get_theme( $_GET['stylesheet'] );
|
||||
if ( !current_user_can('delete_themes') || ! $theme->exists() )
|
||||
wp_die( __( 'Cheatin’ uh?' ) );
|
||||
delete_theme($_GET['template']);
|
||||
delete_theme($_GET['stylesheet']);
|
||||
wp_redirect( admin_url('themes.php?deleted=true') );
|
||||
exit;
|
||||
}
|
||||
@ -60,6 +64,8 @@ if ( current_user_can( 'install_themes' ) ) {
|
||||
) );
|
||||
}
|
||||
|
||||
endif; // switch_themes
|
||||
|
||||
if ( current_user_can( 'edit_theme_options' ) ) {
|
||||
$help_customize =
|
||||
'<p>' . __('Click on the "Live Preview" link under any theme to preview that theme and change theme options in a separate, full-screen view. Any installed theme can be previewed and customized in this way.') . '</p>'.
|
||||
@ -83,8 +89,6 @@ get_current_screen()->set_help_sidebar(
|
||||
wp_enqueue_script( 'theme' );
|
||||
wp_enqueue_script( 'customize-loader' );
|
||||
|
||||
endif;
|
||||
|
||||
require_once('./admin-header.php');
|
||||
?>
|
||||
|
||||
@ -120,9 +124,11 @@ $customize_title = sprintf( __( 'Customize “%s”' ), $ct->display('Na
|
||||
?>
|
||||
<div id="current-theme" class="<?php echo esc_attr( $class ); ?>">
|
||||
<?php if ( $screenshot ) : ?>
|
||||
<?php if ( current_user_can( 'edit_theme_options' ) ) : ?>
|
||||
<a href="<?php echo wp_customize_url(); ?>" class="load-customize hide-if-no-customize" title="<?php echo esc_attr( $customize_title ); ?>">
|
||||
<img src="<?php echo esc_url( $screenshot ); ?>" alt="<?php esc_attr_e( 'Current theme preview' ); ?>" />
|
||||
</a>
|
||||
<?php endif; ?>
|
||||
<img class="hide-if-customize" src="<?php echo esc_url( $screenshot ); ?>" alt="<?php esc_attr_e( 'Current theme preview' ); ?>" />
|
||||
<?php endif; ?>
|
||||
|
||||
@ -140,9 +146,6 @@ $customize_title = sprintf( __( 'Customize “%s”' ), $ct->display('Na
|
||||
<?php theme_update_available( $ct ); ?>
|
||||
</div>
|
||||
|
||||
<div class="theme-options">
|
||||
<a id="customize-current-theme-link" href="<?php echo wp_customize_url(); ?>" class="load-customize hide-if-no-customize" title="<?php echo esc_attr( $customize_title ); ?>"><?php _e( 'Customize' )?></a>
|
||||
<span><?php _e( 'Options:' )?></span>
|
||||
<?php
|
||||
// Pretend you didn't see this.
|
||||
$options = array();
|
||||
@ -171,13 +174,26 @@ $customize_title = sprintf( __( 'Customize “%s”' ), $ct->display('Na
|
||||
}
|
||||
}
|
||||
|
||||
if ( $options || current_user_can( 'edit_theme_options' ) ) :
|
||||
?>
|
||||
<div class="theme-options">
|
||||
<?php if ( current_user_can( 'edit_theme_options' ) ) : ?>
|
||||
<a id="customize-current-theme-link" href="<?php echo wp_customize_url(); ?>" class="load-customize hide-if-no-customize" title="<?php echo esc_attr( $customize_title ); ?>"><?php _e( 'Customize' ); ?></a>
|
||||
<?php
|
||||
endif; // edit_theme_options
|
||||
if ( $options ) :
|
||||
?>
|
||||
<span><?php _e( 'Options:' )?></span>
|
||||
<ul>
|
||||
<?php foreach ( $options as $option ) : ?>
|
||||
<li><?php echo $option; ?></li>
|
||||
<?php endforeach; ?>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
<?php
|
||||
endif; // options
|
||||
endif; // options || edit_theme_options
|
||||
?>
|
||||
|
||||
</div>
|
||||
|
||||
|
@ -78,11 +78,22 @@ final class WP_Customize_Manager {
|
||||
* @since 3.4.0
|
||||
*/
|
||||
public function setup_theme() {
|
||||
if ( ! ( isset( $_REQUEST['customize'] ) && 'on' == $_REQUEST['customize'] ) && ! basename( $_SERVER['PHP_SELF'] ) == 'customize.php' )
|
||||
return;
|
||||
|
||||
send_origin_headers();
|
||||
|
||||
$this->original_stylesheet = get_stylesheet();
|
||||
|
||||
$this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
|
||||
|
||||
// You can't preview a theme if it doesn't exist, or if it is not allowed (unless active).
|
||||
if ( ! $this->theme->exists() )
|
||||
wp_die( __( 'Cheatin’ uh?' ) );
|
||||
|
||||
if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) )
|
||||
wp_die( __( 'Cheatin’ uh?' ) );
|
||||
|
||||
if ( ! current_user_can( 'edit_theme_options' ) )
|
||||
wp_die( __( 'Cheatin’ uh?' ) );
|
||||
|
||||
$this->start_previewing_theme();
|
||||
show_admin_bar( false );
|
||||
}
|
||||
@ -95,20 +106,10 @@ final class WP_Customize_Manager {
|
||||
* @since 3.4.0
|
||||
*/
|
||||
public function start_previewing_theme() {
|
||||
if ( $this->is_preview() || false === $this->theme || ( $this->theme && ! $this->theme->exists() ) )
|
||||
// Bail if we're already previewing.
|
||||
if ( $this->is_preview() )
|
||||
return;
|
||||
|
||||
// Initialize $theme and $original_stylesheet if they do not yet exist.
|
||||
if ( ! isset( $this->theme ) ) {
|
||||
$this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
|
||||
if ( ! $this->theme->exists() ) {
|
||||
$this->theme = false;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
$this->original_stylesheet = get_stylesheet();
|
||||
|
||||
$this->previewing = true;
|
||||
|
||||
add_filter( 'template', array( $this, 'get_template' ) );
|
||||
@ -419,13 +420,10 @@ final class WP_Customize_Manager {
|
||||
if ( ! $this->is_preview() )
|
||||
die;
|
||||
|
||||
check_ajax_referer( 'customize_controls', 'nonce' );
|
||||
check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
|
||||
|
||||
// Do we have to switch themes?
|
||||
if ( $this->get_stylesheet() != $this->original_stylesheet ) {
|
||||
if ( ! current_user_can( 'switch_themes' ) )
|
||||
die;
|
||||
|
||||
// Temporarily stop previewing the theme to allow switch_themes()
|
||||
// to operate properly.
|
||||
$this->stop_previewing_theme();
|
||||
|
@ -17,12 +17,9 @@ if ( typeof wp === 'undefined' )
|
||||
// Ensure the loader is supported.
|
||||
// Check for settings, postMessage support, and whether we require CORS support.
|
||||
if ( ! Loader.settings || ! $.support.postMessage || ( ! $.support.cors && Loader.settings.isCrossDomain ) ) {
|
||||
this.body.removeClass( 'customize-support' ).addClass( 'no-customize-support' );
|
||||
return;
|
||||
}
|
||||
|
||||
this.body.removeClass( 'no-customize-support' ).addClass( 'customize-support' );
|
||||
|
||||
this.window = $( window );
|
||||
this.element = $( '<div id="customize-container" />' ).appendTo( this.body );
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user