Remove check_permissions() calls outside of AJAX context. Also only check for switch_themes in check_permissions() for the themes table. see #15326.

git-svn-id: https://develop.svn.wordpress.org/trunk@16990 602fd350-edb4-49c9-b593-d223f7449a82

wp-admin/edit-comments.php

@@ -12,7 +12,6 @@ if ( !current_user_can('edit_posts') )
 	wp_die(__('Cheatin’ uh?'));
 
 $wp_list_table = get_list_table('WP_Comments_List_Table');
-$wp_list_table->check_permissions();
 $pagenum = $wp_list_table->get_pagenum();
 
 $doaction = $wp_list_table->current_action();

wp-admin/edit-tags.php

@@ -13,7 +13,6 @@ if ( !current_user_can( $tax->cap->manage_terms ) )
 	wp_die( __( 'Cheatin’ uh?' ) );
 
 $wp_list_table = get_list_table('WP_Terms_List_Table');
-$wp_list_table->check_permissions();
 
 $title = $tax->labels->name;
 

wp-admin/edit.php

@@ -24,7 +24,6 @@ if ( !current_user_can($post_type_object->cap->edit_posts) )
 	wp_die(__('Cheatin’ uh?'));
 
 $wp_list_table = get_list_table('WP_Posts_List_Table');
-$wp_list_table->check_permissions();
 $pagenum = $wp_list_table->get_pagenum();
 
 // Back-compat for viewing comments of an entry

wp-admin/includes/class-wp-ms-themes-list-table.php

@@ -39,14 +39,12 @@ class WP_MS_Themes_List_Table extends WP_List_Table {
 	function check_permissions() {
 		$menu_perms = get_site_option( 'menu_items', array() );
 
-		if ( empty( $menu_perms['themes'] ) ) {
-			if ( !is_super_admin() )
-				wp_die( __( 'Cheatin’ uh?' ) );
-		}
+		if ( empty( $menu_perms['themes'] ) && ! is_super_admin() )
+			wp_die( __( 'Cheatin’ uh?' ) );
 
 		if ( $this->is_site_themes && !current_user_can('manage_sites') )
 			wp_die( __( 'You do not have sufficient permissions to manage themes for this site.' ) );
-		else if ( !$this->is_site_themes && !current_user_can('manage_network_themes') )
+		elseif ( !$this->is_site_themes && !current_user_can('manage_network_themes') )
 			wp_die( __( 'You do not have sufficient permissions to manage network themes.' ) );
 	}
 

wp-admin/includes/class-wp-plugins-list-table.php

@@ -31,10 +31,8 @@ class WP_Plugins_List_Table extends WP_List_Table {
 		if ( is_multisite() ) {
 			$menu_perms = get_site_option( 'menu_items', array() );
 
-			if ( empty( $menu_perms['plugins'] ) ) {
-				if ( !is_super_admin() )
-					wp_die( __( 'Cheatin’ uh?' ) );
-			}
+			if ( empty( $menu_perms['plugins'] ) && ! is_super_admin() )
+				wp_die( __( 'Cheatin’ uh?' ) );
 		}
 
 		if ( !current_user_can('activate_plugins') )

wp-admin/includes/class-wp-themes-list-table.php

@@ -12,7 +12,8 @@ class WP_Themes_List_Table extends WP_List_Table {
 	var $features = array();
 
 	function check_permissions() {
-		if ( !current_user_can('switch_themes') && !current_user_can('edit_theme_options') )
+		// Do not check edit_theme_options here. AJAX calls for available themes require switch_themes.
+		if ( !current_user_can('switch_themes') )
 			wp_die( __( 'Cheatin’ uh?' ) );
 	}
 

wp-admin/includes/class-wp-users-list-table.php

@@ -25,11 +25,11 @@ class WP_Users_List_Table extends WP_List_Table {
 	}
 
 	function check_permissions() {
-		if ( !current_user_can('list_users') )
-			wp_die(__('Cheatin’ uh?'));
+		if ( ! $this->is_site_users && ! current_user_can( 'list_users' ) )
+			wp_die( __( 'Cheatin’ uh?' ) );
 
-		if ( $this->is_site_users && !current_user_can('manage_sites') )
-			wp_die(__('You do not have sufficient permissions to edit this site.'));
+		if ( $this->is_site_users && ! current_user_can( 'manage_sites' ) )
+			wp_die(__( 'You do not have sufficient permissions to edit this site.' ) );
 	}
 
 	function prepare_items() {

wp-admin/link-manager.php

@@ -12,7 +12,6 @@ if ( ! current_user_can( 'manage_links' ) )
 	wp_die( __( 'You do not have sufficient permissions to edit the links for this site.' ) );
 
 $wp_list_table = get_list_table('WP_Links_List_Table');
-$wp_list_table->check_permissions();
 
 // Handle bulk deletes
 $doaction = $wp_list_table->current_action();

wp-admin/network/site-themes.php

@@ -15,12 +15,10 @@ if ( ! is_multisite() )
 
 $menu_perms = get_site_option( 'menu_items', array() );
 
-if ( empty( $menu_perms['themes'] ) ) {
-	if ( !is_super_admin() )
-		wp_die( __( 'Cheatin’ uh?' ) );
-}
+if ( empty( $menu_perms['themes'] ) && ! is_super_admin() )
+	wp_die( __( 'Cheatin’ uh?' ) );
 
-if ( !current_user_can('manage_sites') )
+if ( ! current_user_can( 'manage_sites' ) )
 	wp_die( __( 'You do not have sufficient permissions to manage themes for this site.' ) );
 
 add_contextual_help($current_screen,
@@ -34,7 +32,6 @@ add_contextual_help($current_screen,
 );
 
 $wp_list_table = get_list_table('WP_MS_Themes_List_Table');
-$wp_list_table->check_permissions();
 
 $action = $wp_list_table->current_action();
 

wp-admin/network/site-users.php

@@ -17,7 +17,6 @@ if ( ! current_user_can('manage_sites') )
 	wp_die(__('You do not have sufficient permissions to edit this site.'));
 
 $wp_list_table = get_list_table('WP_Users_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $action = $wp_list_table->current_action();

wp-admin/network/sites.php

@@ -13,8 +13,10 @@ require_once( './admin.php' );
 if ( ! is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
+if ( ! current_user_can( 'manage_sites' ) )
+	wp_die( __( 'You do not have permission to access this page.' ) );
+
 $wp_list_table = get_list_table('WP_MS_Sites_List_Table');
-$wp_list_table->check_permissions();
 
 $title = __( 'Sites' );
 $parent_file = 'sites.php';

wp-admin/network/themes.php

@@ -15,16 +15,13 @@ if ( ! is_multisite() )
 
 $menu_perms = get_site_option( 'menu_items', array() );
 
-if ( empty( $menu_perms['themes'] ) ) {
-	if ( !is_super_admin() )
-		wp_die( __( 'Cheatin’ uh?' ) );
-}
+if ( empty( $menu_perms['themes'] ) && ! is_super_admin() )
+	wp_die( __( 'Cheatin’ uh?' ) );
 
 if ( !current_user_can('manage_network_themes') )
 	wp_die( __( 'You do not have sufficient permissions to manage network themes.' ) );
 
 $wp_list_table = get_list_table('WP_MS_Themes_List_Table');
-$wp_list_table->check_permissions();
 
 $action = $wp_list_table->current_action();
 

wp-admin/network/users.php

@@ -13,8 +13,10 @@ require_once( './admin.php' );
 if ( ! is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
+if ( ! current_user_can( 'manage_network_users' ) )
+	wp_die( __( 'You do not have permission to access this page.' ) );
+
 $wp_list_table = get_list_table('WP_MS_Users_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $title = __( 'Users' );

wp-admin/plugin-install.php

@@ -11,6 +11,7 @@ if ( !defined( 'IFRAME_REQUEST' ) && isset( $_GET['tab'] ) && ( 'plugin-informat
 
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
+
 if ( ! current_user_can('install_plugins') )
 	wp_die(__('You do not have sufficient permissions to install plugins on this site.'));
 
@@ -20,7 +21,6 @@ if ( is_multisite() && ! is_network_admin() ) {
 }
 
 $wp_list_table = get_list_table('WP_Plugin_Install_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $title = __('Install Plugins');

wp-admin/plugins.php

@@ -9,11 +9,17 @@
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
 
+if ( is_multisite() ) {
+	$menu_perms = get_site_option( 'menu_items', array() );
+
+	if ( empty( $menu_perms['plugins'] ) && ! is_super_admin() )
+		wp_die( __( 'Cheatin’ uh?' ) );
+}
+
 if ( !current_user_can('activate_plugins') )
 	wp_die( __( 'You do not have sufficient permissions to manage plugins for this site.' ) );
 
 $wp_list_table = get_list_table('WP_Plugins_List_Table');
-$wp_list_table->check_permissions();
 
 $action = $wp_list_table->current_action();
 

wp-admin/theme-install.php

@@ -11,6 +11,7 @@ if ( !defined( 'IFRAME_REQUEST' ) && isset( $_GET['tab'] ) && ( 'theme-informati
 
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
+
 if ( ! current_user_can('install_themes') )
 	wp_die( __( 'You do not have sufficient permissions to install themes on this site.' ) );
 
@@ -20,7 +21,6 @@ if ( is_multisite() && ! is_network_admin() ) {
 }
 
 $wp_list_table = get_list_table('WP_Theme_Install_List_Table');
-$wp_list_table->check_permissions();
 $wp_list_table->prepare_items();
 
 $title = __('Install Themes');

wp-admin/themes.php

@@ -8,11 +8,11 @@
 
 /** WordPress Administration Bootstrap */
 require_once('./admin.php');
+
 if ( !current_user_can('switch_themes') && !current_user_can('edit_theme_options') )
 	wp_die( __( 'Cheatin’ uh?' ) );
 
 $wp_list_table = get_list_table('WP_Themes_List_Table');
-$wp_list_table->check_permissions();
 
 if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) {
 	if ( 'activate' == $_GET['action'] ) {

wp-admin/upload.php

@@ -9,8 +9,10 @@
 /** WordPress Administration Bootstrap */
 require_once( './admin.php' );
 
+if ( !current_user_can('upload_files') )
+	wp_die( __( 'You do not have permission to upload files.' ) );
+
 $wp_list_table = get_list_table('WP_Media_List_Table');
-$wp_list_table->check_permissions();
 
 // Handle bulk actions
 $doaction = $wp_list_table->current_action();

wp-admin/users.php

@@ -9,8 +9,10 @@
 /** WordPress Administration Bootstrap */
 require_once( './admin.php' );
 
+if ( ! current_user_can( 'list_users' ) )
+	wp_die( __( 'Cheatin’ uh?' ) );
+
 $wp_list_table = get_list_table('WP_Users_List_Table');
-$wp_list_table->check_permissions();
 
 $title = __('Users');
 $parent_file = 'users.php';