Add some CYA cap checks.

git-svn-id: https://develop.svn.wordpress.org/trunk@11761 602fd350-edb4-49c9-b593-d223f7449a82

wp-admin/options-discussion.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('Discussion Settings');
 $parent_file = 'options-general.php';
 

wp-admin/options-general.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('General Settings');
 $parent_file = 'options-general.php';
 /* translators: date and time format for exact current time, mainly about timezones, see http://php.net/date */

wp-admin/options-media.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('Media Settings');
 $parent_file = 'options-general.php';
 

wp-admin/options-misc.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('Miscellaneous Settings');
 $parent_file = 'options-general.php';
 

wp-admin/options-permalink.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('Permalink Settings');
 $parent_file = 'options-general.php';
 

wp-admin/options-privacy.php

@@ -9,6 +9,9 @@
 /** Load WordPress Administration Bootstrap */
 require_once('./admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('Privacy Settings');
 $parent_file = 'options-general.php';
 

wp-admin/options-reading.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('Reading Settings');
 $parent_file = 'options-general.php';
 

wp-admin/options-writing.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( ! current_user_can('manage_options') )
+	wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
 $title = __('Writing Settings');
 $parent_file = 'options-general.php';
 

wp-admin/plugins.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( ! current_user_can('activate_plugins') )
+	wp_die(__('You do not have sufficient permissions to manage plugins for this blog.'));
+
 if ( isset($_POST['clear-recent-list']) )
 	$action = 'clear-recent-list';
 elseif ( !empty($_REQUEST['action']) )
@@ -37,6 +40,9 @@ $_SERVER['REQUEST_URI'] = remove_query_arg(array('error', 'deleted', 'activate',
 if ( !empty($action) ) {
 	switch ( $action ) {
 		case 'activate':
+			if ( ! current_user_can('activate_plugins') )
+				wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+
 			check_admin_referer('activate-plugin_' . $plugin);
 
 			$result = activate_plugin($plugin, 'plugins.php?error=true&plugin=' . $plugin);
@@ -53,6 +59,9 @@ if ( !empty($action) ) {
 			exit;
 			break;
 		case 'activate-selected':
+			if ( ! current_user_can('activate_plugins') )
+				wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+			
 			check_admin_referer('bulk-manage-plugins');
 
 			$plugins = (array) $_POST['checked'];
@@ -75,6 +84,9 @@ if ( !empty($action) ) {
 			exit;
 			break;
 		case 'error_scrape':
+			if ( ! current_user_can('activate_plugins') )
+				wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+
 			check_admin_referer('plugin-activation-error_' . $plugin);
 
 			$valid = validate_plugin($plugin);
@@ -88,6 +100,9 @@ if ( !empty($action) ) {
 			exit;
 			break;
 		case 'deactivate':
+			if ( ! current_user_can('activate_plugins') )
+				wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
+
 			check_admin_referer('deactivate-plugin_' . $plugin);
 			deactivate_plugins($plugin);
 			update_option('recently_activated', array($plugin => time()) + (array)get_option('recently_activated'));
@@ -95,6 +110,9 @@ if ( !empty($action) ) {
 			exit;
 			break;
 		case 'deactivate-selected':
+			if ( ! current_user_can('activate_plugins') )
+				wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
+
 			check_admin_referer('bulk-manage-plugins');
 
 			$plugins = (array) $_POST['checked'];

wp-admin/themes.php

@@ -9,6 +9,9 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
+if ( !current_user_can('switch_themes') )
+	wp_die( __( 'Cheatin’ uh?' ) );
+
 if ( isset($_GET['action']) ) {
 	if ( 'activate' == $_GET['action'] ) {
 		check_admin_referer('switch-theme_' . $_GET['template']);

wp-includes/vars.php

@@ -17,6 +17,7 @@ if ( is_admin() ) {
 	// wp-admin pages are checked more carefully
 	preg_match('#/wp-admin/?(.*?)$#i', $PHP_SELF, $self_matches);
 	$pagenow = $self_matches[1];
+	$pagenow = trim($pagenow, '/');
 	$pagenow = preg_replace('#\?.*?$#', '', $pagenow);
 	if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) {
 		$pagenow = 'index.php';