Nonce from above. #2678
git-svn-id: https://develop.svn.wordpress.org/trunk@3759 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
b96cd6f60c
commit
fcfda4db13
@ -709,7 +709,7 @@ function page_rows($parent = 0, $level = 0, $pages = 0, $hierarchy = true) {
|
||||
<td><?php echo mysql2date('Y-m-d g:i a', $post->post_modified); ?></td>
|
||||
<td><a href="<?php the_permalink(); ?>" rel="permalink" class="edit"><?php _e('View'); ?></a></td>
|
||||
<td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='page.php?action=edit&post=$id' class='edit'>" . __('Edit') . "</a>"; } ?></td>
|
||||
<td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='page.php?action=delete&post=$id' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
|
||||
<td><?php if ( current_user_can('edit_page', $id) ) { echo "<a href='" . wp_nonce_url("page.php?action=delete&post=$id", 'delete-page' . $id) . "' class='delete' onclick=\"return deleteSomething( 'page', " . $id . ", '" . sprintf(__("You are about to delete the "%s" page.\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
|
||||
</tr>
|
||||
|
||||
<?php
|
||||
|
@ -24,7 +24,7 @@ switch($action) {
|
||||
|
||||
case 'addcat':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('add-category');
|
||||
|
||||
if ( !current_user_can('manage_categories') )
|
||||
die (__('Cheatin’ uh?'));
|
||||
@ -35,13 +35,12 @@ case 'addcat':
|
||||
break;
|
||||
|
||||
case 'delete':
|
||||
|
||||
check_admin_referer();
|
||||
$cat_ID = (int) $_GET['cat_ID'];
|
||||
check_admin_referer('delete-category' . $cat_ID);
|
||||
|
||||
if ( !current_user_can('manage_categories') )
|
||||
die (__('Cheatin’ uh?'));
|
||||
|
||||
$cat_ID = (int) $_GET['cat_ID'];
|
||||
$cat_name = get_catname($cat_ID);
|
||||
|
||||
// Don't delete the default cats.
|
||||
@ -67,6 +66,7 @@ case 'edit':
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Edit Category') ?></h2>
|
||||
<form name="editcat" action="categories.php" method="post">
|
||||
<?php wp_nonce_field('update-category' . $category->cat_ID); ?>
|
||||
<table class="editform" width="100%" cellspacing="2" cellpadding="5">
|
||||
<tr>
|
||||
<th width="33%" scope="row" valign="top"><label for="cat_name"><?php _e('Category name:') ?></label></th>
|
||||
@ -99,7 +99,8 @@ case 'edit':
|
||||
break;
|
||||
|
||||
case 'editedcat':
|
||||
check_admin_referer();
|
||||
$cat_ID = (int) $_POST['cat_ID'];
|
||||
check_admin_referer('update-category' . $cat_ID);
|
||||
|
||||
if ( !current_user_can('manage_categories') )
|
||||
die (__('Cheatin’ uh?'));
|
||||
@ -157,6 +158,7 @@ cat_rows();
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Add New Category') ?></h2>
|
||||
<form name="addcat" id="addcat" action="categories.php" method="post">
|
||||
<?php wp_nonce_field('add-category'); ?>
|
||||
<div class="alignleft"><?php _e('Name:') ?><br />
|
||||
<input type="text" name="cat_name" id="cat_name" value="" /></p>
|
||||
<p><?php _e('Category parent:') ?><br />
|
||||
|
@ -89,10 +89,9 @@ case 'mailapprovecomment':
|
||||
break;
|
||||
|
||||
case 'deletecomment':
|
||||
|
||||
check_admin_referer();
|
||||
|
||||
$comment = (int) $_REQUEST['comment'];
|
||||
check_admin_referer('delete-comment' . $comment);
|
||||
|
||||
$p = (int) $_REQUEST['p'];
|
||||
if ( isset($_REQUEST['noredir']) ) {
|
||||
$noredir = true;
|
||||
@ -123,10 +122,9 @@ case 'deletecomment':
|
||||
break;
|
||||
|
||||
case 'unapprovecomment':
|
||||
|
||||
check_admin_referer();
|
||||
|
||||
$comment = (int) $_GET['comment'];
|
||||
check_admin_referer('unapprove-comment' . $comment);
|
||||
|
||||
$p = (int) $_GET['p'];
|
||||
if (isset($_GET['noredir'])) {
|
||||
$noredir = true;
|
||||
@ -151,10 +149,9 @@ case 'unapprovecomment':
|
||||
break;
|
||||
|
||||
case 'approvecomment':
|
||||
|
||||
check_admin_referer();
|
||||
|
||||
$comment = (int) $_GET['comment'];
|
||||
check_admin_referer('approve-comment' . $comment);
|
||||
|
||||
$p = (int) $_GET['p'];
|
||||
if (isset($_GET['noredir'])) {
|
||||
$noredir = true;
|
||||
@ -184,7 +181,7 @@ case 'approvecomment':
|
||||
|
||||
case 'editedcomment':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('update-comment');
|
||||
|
||||
edit_comment();
|
||||
|
||||
|
@ -51,7 +51,7 @@ function getNumChecked(form)
|
||||
<p><a href="?mode=view"><?php _e('View Mode') ?></a> | <a href="?mode=edit"><?php _e('Mass Edit Mode') ?></a></p>
|
||||
<?php
|
||||
if ( !empty( $_POST['delete_comments'] ) ) :
|
||||
check_admin_referer();
|
||||
check_admin_referer('bulk-comments');
|
||||
|
||||
$i = 0;
|
||||
foreach ($_POST['delete_comments'] as $comment) : // Check the permissions on each
|
||||
@ -119,10 +119,10 @@ if ('view' == $mode) {
|
||||
<?php
|
||||
if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
||||
echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
|
||||
echo ' | <a href="comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
|
||||
echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
|
||||
if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
|
||||
echo '<span class="unapprove"> | <a href="comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
||||
echo '<span class="approve"> | <a href="comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
||||
echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
||||
echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
||||
}
|
||||
echo " | <a href=\"comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ";
|
||||
}
|
||||
@ -150,8 +150,9 @@ $post_title = ('' == $post_title) ? "# $comment->comment_post_ID" : $post_title;
|
||||
} elseif ('edit' == $mode) {
|
||||
|
||||
if ($comments) {
|
||||
echo '<form name="deletecomments" id="deletecomments" action="" method="post">
|
||||
<table width="100%" cellpadding="3" cellspacing="3">
|
||||
echo '<form name="deletecomments" id="deletecomments" action="" method="post"> ';
|
||||
wp_nonce_field('bulk-comments');
|
||||
echo '<table width="100%" cellpadding="3" cellspacing="3">
|
||||
<tr>
|
||||
<th scope="col">*</th>
|
||||
<th scope="col">' . __('Name') . '</th>
|
||||
|
@ -22,9 +22,11 @@ if (0 == $post_ID) {
|
||||
$form_action = 'post';
|
||||
$temp_ID = -1 * time();
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
|
||||
wp_nonce_field('add-post');
|
||||
} else {
|
||||
$form_action = 'editpost';
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
|
||||
wp_nonce_field('update-post' . $post_ID);
|
||||
}
|
||||
|
||||
$form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
|
||||
@ -173,7 +175,7 @@ else
|
||||
<?php
|
||||
if (current_user_can('upload_files')) {
|
||||
$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
|
||||
$uploading_iframe_src = "inline-uploading.php?action=view&post=$uploading_iframe_ID";
|
||||
$uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading');
|
||||
$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
|
||||
if ( false != $uploading_iframe_src )
|
||||
echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>';
|
||||
|
@ -6,6 +6,7 @@ $form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment-
|
||||
?>
|
||||
|
||||
<form name="post" action="comment.php" method="post" id="post">
|
||||
<?php wp_nonce_field('update-comment' . $comment->comment_ID) ?>
|
||||
<div class="wrap">
|
||||
<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
|
||||
<input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
|
||||
|
@ -2,11 +2,13 @@
|
||||
if ( ! empty($link_id) ) {
|
||||
$heading = __('Edit Bookmark');
|
||||
$submit_text = __('Save Changes »');
|
||||
$form = '<form name="editlink" id="editlink" method="post" action="link.php">';
|
||||
$form = '<form name="editlink" id="editlink" method="post" action="link.php">';
|
||||
$nonce_action = 'update-bookmark' . $link_id;
|
||||
} else {
|
||||
$heading = __('Create Bookmark');
|
||||
$submit_text = __('Add Bookmark »');
|
||||
$form = '<form name="addlink" id="addlink" method="post" action="link.php">';
|
||||
$nonce_action = 'add-bookmark';
|
||||
}
|
||||
|
||||
function xfn_check($class, $value = '', $type = 'check') {
|
||||
@ -31,7 +33,8 @@ function xfn_check($class, $value = '', $type = 'check') {
|
||||
<div class="wrap">
|
||||
<h2><?php echo $heading ?></h2>
|
||||
<?php echo $form ?>
|
||||
|
||||
<?php wp_nonce_field($nonce_action); ?>
|
||||
|
||||
<div id="poststuff">
|
||||
<div id="moremeta">
|
||||
<div id="grabit" class="dbx-group">
|
||||
|
@ -5,10 +5,12 @@
|
||||
<?php
|
||||
if (0 == $post_ID) {
|
||||
$form_action = 'post';
|
||||
$nonce_action = 'add-page';
|
||||
$temp_ID = -1 * time();
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
|
||||
} else {
|
||||
$form_action = 'editpost';
|
||||
$nonce_action = 'update-page' . $post_ID;
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
|
||||
}
|
||||
|
||||
@ -23,6 +25,8 @@ $sendto = wp_specialchars( $sendto );
|
||||
<form name="post" action="page.php" method="post" id="post">
|
||||
|
||||
<?php
|
||||
wp_nonce_field($nonce_action);
|
||||
|
||||
if (isset($mode) && 'bookmarklet' == $mode) {
|
||||
echo '<input type="hidden" name="mode" value="bookmarklet" />';
|
||||
}
|
||||
@ -150,7 +154,7 @@ if ('publish' != $post->post_status || 0 == $post_ID):
|
||||
<?php
|
||||
if (current_user_can('upload_files')) {
|
||||
$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
|
||||
$uploading_iframe_src = "inline-uploading.php?action=view&post=$uploading_iframe_ID";
|
||||
$uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading');
|
||||
$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
|
||||
if ( false != $uploading_iframe_src )
|
||||
echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>';
|
||||
|
@ -211,7 +211,7 @@ foreach($posts_columns as $column_name=>$column_display_name) {
|
||||
|
||||
case 'control_delete':
|
||||
?>
|
||||
<td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='post.php?action=delete&post=$id' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
|
||||
<td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
|
||||
<?php
|
||||
break;
|
||||
|
||||
@ -273,12 +273,12 @@ foreach ($comments as $comment) {
|
||||
<?php
|
||||
if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
||||
echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
|
||||
echo ' | <a href="comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
|
||||
echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
|
||||
if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
|
||||
echo '<span class="unapprove"> | <a href="comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
||||
echo '<span class="approve"> | <a href="comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
||||
echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
||||
echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
||||
}
|
||||
echo " | <a href=\"comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ]";
|
||||
echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ]";
|
||||
} // end if any comments to show
|
||||
?>
|
||||
</p>
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
require_once('admin.php');
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('inlineuploading');
|
||||
|
||||
header('Content-Type: text/html; charset=' . get_option('blog_charset'));
|
||||
|
||||
@ -41,7 +41,7 @@ if ( !current_user_can('edit_post', (int) $attachment) )
|
||||
|
||||
wp_delete_attachment($attachment);
|
||||
|
||||
header("Location: ".basename(__FILE__)."?post=$post&all=$all&action=view&start=$start");
|
||||
header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=$start", 'inlineuploading'));
|
||||
die;
|
||||
|
||||
case 'save':
|
||||
@ -100,7 +100,7 @@ if ( preg_match('!^image/!', $attachment['post_mime_type']) ) {
|
||||
add_post_meta($id, '_wp_attachment_metadata', array());
|
||||
}
|
||||
|
||||
header("Location: ".basename(__FILE__)."?post=$post&all=$all&action=view&start=0");
|
||||
header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&all=$all&action=view&start=0", 'inlineuploading'));
|
||||
die();
|
||||
|
||||
case 'upload':
|
||||
@ -139,7 +139,7 @@ if ( '' == $sort )
|
||||
$attachments = $wpdb->get_results("SELECT ID, post_date, post_title, post_mime_type, guid FROM $wpdb->posts WHERE post_type = 'attachment' $and_type $and_post $and_user ORDER BY $sort LIMIT $start, $double", ARRAY_A);
|
||||
|
||||
if ( count($attachments) == 0 ) {
|
||||
header("Location: ".basename(__FILE__)."?post=$post&action=upload");
|
||||
header("Location: ". wp_nonce_url(basename(__FILE__)."?post=$post&action=upload", 'inlineuploading') );
|
||||
die;
|
||||
} elseif ( count($attachments) > $num ) {
|
||||
$next = $start + count($attachments) - $num;
|
||||
|
@ -110,6 +110,7 @@ bookmarks ordered by
|
||||
</form>
|
||||
|
||||
<form id="links" method="post" action="link.php">
|
||||
<?php wp_nonce_field('bulk-bookmarks') ?>
|
||||
<input type="hidden" name="link_id" value="" />
|
||||
<input type="hidden" name="action" value="" />
|
||||
<input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
|
||||
@ -175,7 +176,7 @@ if ($links)
|
||||
<?php
|
||||
|
||||
echo '<td><a href="link.php?link_id='.$link->link_id.'&action=edit" class="edit">'.__('Edit').'</a></td>';
|
||||
echo '<td><a href="link.php?link_id='.$link->link_id.'&action=delete"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>';
|
||||
echo '<td><a href="' . wp_nonce_url('link.php?link_id='.$link->link_id.'&action=delete', 'delete-bookmark' . $link->link_id ) . '"'." class='delete' onclick=\"return deleteSomething( 'link', $link->link_id , '".sprintf(__("You are about to delete the "%s" bookmark to %s.\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($link->link_name, 1), wp_specialchars($link->link_url)).'\' );" class="delete">'.__('Delete').'</a></td>';
|
||||
echo '<td align="center"><input type="checkbox" name="linkcheck[]" value="'.$link->link_id.'" /></td>';
|
||||
echo "\n </tr>\n";
|
||||
}
|
||||
|
@ -29,7 +29,7 @@ $this_file = 'link-manager.php';
|
||||
|
||||
switch ($action) {
|
||||
case 'deletebookmarks' :
|
||||
check_admin_referer();
|
||||
check_admin_referer('bulk-bookmarks');
|
||||
|
||||
// check the current user's level first.
|
||||
if (!current_user_can('manage_links'))
|
||||
@ -53,7 +53,7 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'move' :
|
||||
check_admin_referer();
|
||||
check_admin_referer('bulk-bookmarks');
|
||||
|
||||
// check the current user's level first.
|
||||
if (!current_user_can('manage_links'))
|
||||
@ -72,7 +72,7 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'add' :
|
||||
check_admin_referer();
|
||||
check_admin_referer('add-bookmark');
|
||||
|
||||
add_link();
|
||||
|
||||
@ -80,9 +80,9 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'save' :
|
||||
check_admin_referer();
|
||||
|
||||
$link_id = (int) $_POST['link_id'];
|
||||
check_admin_referer('update-bookmark' . $link_id);
|
||||
|
||||
edit_link($link_id);
|
||||
|
||||
wp_redirect($this_file);
|
||||
@ -90,13 +90,12 @@ switch ($action) {
|
||||
break;
|
||||
|
||||
case 'delete' :
|
||||
check_admin_referer();
|
||||
$link_id = (int) $_GET['link_id'];
|
||||
check_admin_referer('delete-bookmark' . $link_id);
|
||||
|
||||
if (!current_user_can('manage_links'))
|
||||
die(__("Cheatin' uh ?"));
|
||||
|
||||
$link_id = (int) $_GET['link_id'];
|
||||
|
||||
wp_delete_link($link_id);
|
||||
|
||||
wp_redirect($this_file);
|
||||
|
@ -32,7 +32,7 @@ switch($action) {
|
||||
|
||||
case 'update':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('moderate-comments');
|
||||
|
||||
if ( ! current_user_can('moderate_comments') )
|
||||
die('<p>'.__('Your level is not high enough to moderate comments.').'</p>');
|
||||
@ -132,6 +132,7 @@ if ($comments) {
|
||||
?>
|
||||
<h2><?php _e('Moderation Queue') ?></h2>
|
||||
<form name="approval" action="moderation.php" method="post">
|
||||
<?php wp_nonce_field('moderate-comments') ?>
|
||||
<input type="hidden" name="action" value="update" />
|
||||
<ol id="the-list" class="commentlist">
|
||||
<?php
|
||||
|
@ -21,6 +21,7 @@ if ($action == 'retrospam') {
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Discussion Options') ?></h2>
|
||||
<form method="post" action="options.php">
|
||||
<?php wp_nonce_field('update-options') ?>
|
||||
<fieldset class="options">
|
||||
<legend><?php _e('Usual settings for an article:<br /><small><em>(These settings may be overridden for individual articles.)</em></small>') ?></legend>
|
||||
<ul>
|
||||
|
@ -10,6 +10,7 @@ include('./admin-header.php');
|
||||
<div class="wrap">
|
||||
<h2><?php _e('General Options') ?></h2>
|
||||
<form method="post" action="options.php">
|
||||
<?php wp_nonce_field('update-options') ?>
|
||||
<table class="optiontable">
|
||||
<tr valign="top">
|
||||
<th scope="row"><?php _e('Weblog title:') ?></th>
|
||||
|
@ -11,7 +11,7 @@ include('admin-header.php');
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Miscellaneous Options') ?></h2>
|
||||
<form method="post" action="options.php">
|
||||
|
||||
<?php wp_nonce_field('update-options') ?>
|
||||
<fieldset class="options">
|
||||
<legend><?php _e('Uploading'); ?></legend>
|
||||
<table class="editform optiontable">
|
||||
|
@ -57,8 +57,8 @@ include('admin-header.php');
|
||||
|
||||
$home_path = get_home_path();
|
||||
|
||||
if ( isset($_POST) ) {
|
||||
check_admin_referer();
|
||||
if ( isset($_POST['permalink_structure']) || isset($_POST['category_base']) ) {
|
||||
check_admin_referer('update-permalink');
|
||||
|
||||
if ( isset($_POST['permalink_structure']) ) {
|
||||
$permalink_structure = $_POST['permalink_structure'];
|
||||
@ -117,6 +117,7 @@ $structures = array(
|
||||
);
|
||||
?>
|
||||
<form name="form" action="options-permalink.php" method="post">
|
||||
<?php wp_nonce_field('update-permalink') ?>
|
||||
<h3><?php _e('Common options:'); ?></h3>
|
||||
<p>
|
||||
<label>
|
||||
@ -165,6 +166,7 @@ checked="checked"
|
||||
<?php if ( $permalink_structure && !$usingpi && !$writable ) : ?>
|
||||
<p><?php _e('If your <code>.htaccess</code> file were <a href="http://codex.wordpress.org/Make_a_Directory_Writable">writable</a>, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your <code>.htaccess</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all.') ?></p>
|
||||
<form action="options-permalink.php" method="post">
|
||||
<?php wp_nonce_field('update-permalink') ?>
|
||||
<p>
|
||||
<textarea rows="5" style="width: 98%;" name="rules"><?php echo $wp_rewrite->mod_rewrite_rules(); ?>
|
||||
</textarea>
|
||||
|
@ -10,6 +10,7 @@ include('admin-header.php');
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Reading Options') ?></h2>
|
||||
<form name="form1" method="post" action="options.php">
|
||||
<?php wp_nonce_field('update-options') ?>
|
||||
|
||||
<?php if ( get_pages() ): ?>
|
||||
<fieldset class="options">
|
||||
|
@ -10,6 +10,7 @@ include('admin-header.php');
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Writing Options') ?></h2>
|
||||
<form method="post" action="options.php">
|
||||
<?php wp_nonce_field('update-options') ?>
|
||||
<table width="100%" cellspacing="2" cellpadding="5" class="editform">
|
||||
<tr valign="top">
|
||||
<th width="33%" scope="row"> <?php _e('Size of the post box:') ?></th>
|
||||
|
@ -29,7 +29,7 @@ switch($action) {
|
||||
case 'update':
|
||||
$any_changed = 0;
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('update-options');
|
||||
|
||||
if (!$_POST['page_options']) {
|
||||
foreach ($_POST as $key => $value) {
|
||||
@ -89,6 +89,7 @@ default:
|
||||
<div class="wrap">
|
||||
<h2><?php _e('All options'); ?></h2>
|
||||
<form name="form" action="options.php" method="post">
|
||||
<?php wp_nonce_field('update-options') ?>
|
||||
<input type="hidden" name="action" value="update" />
|
||||
<table width="98%">
|
||||
<?php
|
||||
|
@ -24,7 +24,7 @@ $action = "delete";
|
||||
|
||||
switch($action) {
|
||||
case 'post':
|
||||
|
||||
check_admin_referer('add-page');
|
||||
$page_ID = write_post();
|
||||
|
||||
// Redirect.
|
||||
@ -76,6 +76,7 @@ case 'edit':
|
||||
|
||||
case 'editattachment':
|
||||
$page_id = $post_ID = (int) $_POST['post_ID'];
|
||||
check_admin_referer('update-attachment' . $page_id);
|
||||
|
||||
// Don't let these be changed
|
||||
unset($_POST['guid']);
|
||||
@ -91,6 +92,9 @@ case 'editattachment':
|
||||
add_post_meta($page_id, '_wp_attachment_metadata', $newmeta);
|
||||
|
||||
case 'editpost':
|
||||
$page_ID = (int) $_POST['post_ID'];
|
||||
check_admin_referer('update-page' . $page_ID);
|
||||
|
||||
$page_ID = edit_post();
|
||||
|
||||
if ($_POST['save']) {
|
||||
@ -114,9 +118,8 @@ case 'editpost':
|
||||
break;
|
||||
|
||||
case 'delete':
|
||||
check_admin_referer();
|
||||
|
||||
$page_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']);
|
||||
check_admin_referer('delete-page' . $page_id);
|
||||
|
||||
$page = & get_post($page_id);
|
||||
|
||||
|
@ -34,7 +34,7 @@ switch($action) {
|
||||
|
||||
case 'update':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('edit-plugin' . $file);
|
||||
|
||||
if ( !current_user_can('edit_plugins') )
|
||||
die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
|
||||
@ -97,6 +97,7 @@ if ($plugin_files) :
|
||||
</div>
|
||||
<?php if (!$error) { ?>
|
||||
<form name="template" id="template" action="plugin-editor.php" method="post">
|
||||
<?php wp_nonce_field('edit-plugin' . $file) ?>
|
||||
<div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea>
|
||||
<input type="hidden" name="action" value="update" />
|
||||
<input type="hidden" name="file" value="<?php echo $file ?>" />
|
||||
|
@ -2,9 +2,8 @@
|
||||
require_once('admin.php');
|
||||
|
||||
if ( isset($_GET['action']) ) {
|
||||
check_admin_referer();
|
||||
|
||||
if ('activate' == $_GET['action']) {
|
||||
check_admin_referer('activate-plugin' . $_GET['plugin']);
|
||||
$current = get_settings('active_plugins');
|
||||
if (!in_array($_GET['plugin'], $current)) {
|
||||
$current[] = trim( $_GET['plugin'] );
|
||||
@ -15,6 +14,7 @@ if ( isset($_GET['action']) ) {
|
||||
}
|
||||
header('Location: plugins.php?activate=true');
|
||||
} else if ('deactivate' == $_GET['action']) {
|
||||
check_admin_referer('deactivate-plugin' . $_GET['plugin']);
|
||||
$current = get_settings('active_plugins');
|
||||
array_splice($current, array_search( $_GET['plugin'], $current), 1 ); // Array-fu!
|
||||
update_option('active_plugins', $current);
|
||||
@ -98,11 +98,11 @@ if (empty($plugins)) {
|
||||
$style = ('class="alternate"' == $style|| 'class="alternate active"' == $style) ? '' : 'alternate';
|
||||
|
||||
if (!empty($current_plugins) && in_array($plugin_file, $current_plugins)) {
|
||||
$action = "<a href='plugins.php?action=deactivate&plugin=$plugin_file' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>";
|
||||
$action = "<a href='" . wp_nonce_url("plugins.php?action=deactivate&plugin=$plugin_file", 'deactivate-plugin' . $plugin_file) . "' title='".__('Deactivate this plugin')."' class='delete'>".__('Deactivate')."</a>";
|
||||
$plugin_data['Title'] = "<strong>{$plugin_data['Title']}</strong>";
|
||||
$style .= $style == 'alternate' ? ' active' : 'active';
|
||||
} else {
|
||||
$action = "<a href='plugins.php?action=activate&plugin=$plugin_file' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>";
|
||||
$action = "<a href='" . wp_nonce_url("plugins.php?action=activate&plugin=$plugin_file", 'activate-plugin' . $plugin_file) . "' title='".__('Activate this plugin')."' class='edit'>".__('Activate')."</a>";
|
||||
}
|
||||
$plugin_data['Description'] = wp_kses($plugin_data['Description'], array('a' => array('href' => array(),'title' => array()),'abbr' => array('title' => array()),'acronym' => array('title' => array()),'code' => array(),'em' => array(),'strong' => array()) ); ;
|
||||
if ($style != '') $style = 'class="' . $style . '"';
|
||||
|
@ -24,7 +24,7 @@ if ( isset( $_POST['deletepost'] ) )
|
||||
switch($action) {
|
||||
case 'postajaxpost':
|
||||
case 'post':
|
||||
check_admin_referer();
|
||||
check_admin_referer('add-post');
|
||||
|
||||
$post_ID = 'post' == $action ? write_post() : edit_post();
|
||||
|
||||
@ -78,10 +78,10 @@ case 'edit':
|
||||
break;
|
||||
|
||||
case 'editattachment':
|
||||
check_admin_referer();
|
||||
|
||||
$post_id = (int) $_POST['post_ID'];
|
||||
|
||||
check_admin_referer('update-attachment' . $post_id);
|
||||
|
||||
// Don't let these be changed
|
||||
unset($_POST['guid']);
|
||||
$_POST['post_type'] = 'attachment';
|
||||
@ -96,7 +96,8 @@ case 'editattachment':
|
||||
add_post_meta($post_id, '_wp_attachment_metadata', $newmeta);
|
||||
|
||||
case 'editpost':
|
||||
check_admin_referer();
|
||||
$post_ID = (int) $_POST['post_ID'];
|
||||
check_admin_referer('update-post' . $post_ID);
|
||||
|
||||
$post_ID = edit_post();
|
||||
|
||||
@ -121,9 +122,8 @@ case 'editpost':
|
||||
break;
|
||||
|
||||
case 'delete':
|
||||
check_admin_referer();
|
||||
|
||||
$post_id = (isset($_GET['post'])) ? intval($_GET['post']) : intval($_POST['post_ID']);
|
||||
check_admin_referer('delete-post' . $post_id);
|
||||
|
||||
$post = & get_post($post_id);
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
require_once('admin.php');
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('update-profile' . $user_ID);
|
||||
|
||||
if ( !$_POST )
|
||||
die( __('No post?') );
|
||||
|
@ -19,6 +19,7 @@ $bookmarklet_height= 440;
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Your Profile and Personal Options'); ?></h2>
|
||||
<form name="profile" id="your-profile" action="profile-update.php" method="post">
|
||||
<?php wp_nonce_field('update-profile' . $user_ID) ?>
|
||||
<p>
|
||||
<input type="hidden" name="from" value="profile" />
|
||||
<input type="hidden" name="checkuser_id" value="<?php echo $user_ID ?>" />
|
||||
|
@ -36,7 +36,7 @@ switch($action) {
|
||||
|
||||
case 'update':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('edit-file' . $file);
|
||||
|
||||
if ( ! current_user_can('edit_files') )
|
||||
die('<p>'.__('You do not have sufficient permissions to edit templates for this blog.').'</p>');
|
||||
@ -128,6 +128,7 @@ endif;
|
||||
</div>
|
||||
<?php if (!$error) { ?>
|
||||
<form name="template" id="template" action="templates.php" method="post">
|
||||
<?php wp_nonce_field('edit-file' . $file) ?>
|
||||
<div><textarea cols="70" rows="25" name="newcontent" id='newcontent' tabindex="1"><?php echo $content ?></textarea>
|
||||
<input type="hidden" name="action" value="update" />
|
||||
<input type="hidden" name="file" value="<?php echo $file ?>" />
|
||||
|
@ -47,7 +47,7 @@ switch($action) {
|
||||
|
||||
case 'update':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('edit-theme' . $file . $theme);
|
||||
|
||||
if ( !current_user_can('edit_themes') )
|
||||
die('<p>'.__('You have do not have sufficient permissions to edit templates for this blog.').'</p>');
|
||||
@ -131,6 +131,7 @@ if ($allowed_files) :
|
||||
if (!$error) {
|
||||
?>
|
||||
<form name="template" id="template" action="theme-editor.php" method="post">
|
||||
<?php wp_nonce_field('edit-theme' . $file . $theme) ?>
|
||||
<div><textarea cols="70" rows="25" name="newcontent" id="newcontent" tabindex="1"><?php echo $content ?></textarea>
|
||||
<input type="hidden" name="action" value="update" />
|
||||
<input type="hidden" name="file" value="<?php echo $file ?>" />
|
||||
|
@ -2,7 +2,7 @@
|
||||
require_once('admin.php');
|
||||
|
||||
if ( isset($_GET['action']) ) {
|
||||
check_admin_referer();
|
||||
check_admin_referer('switch-theme' . $_GET['template']);
|
||||
|
||||
if ('activate' == $_GET['action']) {
|
||||
if ( isset($_GET['template']) )
|
||||
@ -69,7 +69,7 @@ foreach ($theme_names as $theme_name) {
|
||||
$author = $themes[$theme_name]['Author'];
|
||||
$screenshot = $themes[$theme_name]['Screenshot'];
|
||||
$stylesheet_dir = $themes[$theme_name]['Stylesheet Dir'];
|
||||
$activate_link = "themes.php?action=activate&template=$template&stylesheet=$stylesheet";
|
||||
$activate_link = wp_nonce_url("themes.php?action=activate&template=$template&stylesheet=$stylesheet", 'switch-theme' . $template);
|
||||
?>
|
||||
<div class="available-theme">
|
||||
<h3><a href="<?php echo $activate_link; ?>"><?php echo "$title $version"; ?></a></h3>
|
||||
|
@ -11,7 +11,7 @@ $update = '';
|
||||
switch ($action) {
|
||||
|
||||
case 'promote':
|
||||
check_admin_referer();
|
||||
check_admin_referer('bulk-users');
|
||||
|
||||
if (empty($_POST['users'])) {
|
||||
header('Location: users.php');
|
||||
@ -39,7 +39,7 @@ break;
|
||||
|
||||
case 'dodelete':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('delete-users');
|
||||
|
||||
if ( empty($_POST['users']) ) {
|
||||
header('Location: users.php');
|
||||
@ -72,7 +72,7 @@ break;
|
||||
|
||||
case 'delete':
|
||||
|
||||
check_admin_referer();
|
||||
check_admin_referer('bulk-users');
|
||||
|
||||
if (empty($_POST['users'])) {
|
||||
header('Location: users.php');
|
||||
@ -86,6 +86,7 @@ case 'delete':
|
||||
include ('admin-header.php');
|
||||
?>
|
||||
<form action="" method="post" name="updateusers" id="updateusers">
|
||||
<?php wp_nonce_field('delete-users') ?>
|
||||
<div class="wrap">
|
||||
<h2><?php _e('Delete Users'); ?></h2>
|
||||
<p><?php _e('You have specified these users for deletion:'); ?></p>
|
||||
@ -131,7 +132,7 @@ case 'delete':
|
||||
break;
|
||||
|
||||
case 'adduser':
|
||||
check_admin_referer();
|
||||
check_admin_referer('add-user');
|
||||
|
||||
$user_id = add_user();
|
||||
if ( is_wp_error( $user_id ) )
|
||||
@ -205,6 +206,7 @@ default:
|
||||
?>
|
||||
|
||||
<form action="" method="post" name="updateusers" id="updateusers">
|
||||
<?php wp_nonce_field('bulk-users') ?>
|
||||
<div class="wrap">
|
||||
<h2><?php _e('User List by Role'); ?></h2>
|
||||
<table cellpadding="3" cellspacing="3" width="100%">
|
||||
@ -257,6 +259,7 @@ default:
|
||||
<h2><?php _e('Add New User') ?></h2>
|
||||
<?php echo '<p>'.sprintf(__('Users can <a href="%1$s">register themselves</a> or you can manually create users here.'), get_settings('siteurl').'/wp-register.php').'</p>'; ?>
|
||||
<form action="" method="post" name="adduser" id="adduser">
|
||||
<?php wp_nonce_field('add-user') ?>
|
||||
<table class="editform" width="100%" cellspacing="2" cellpadding="5">
|
||||
<tr>
|
||||
<th scope="row" width="33%"><?php _e('Nickname') ?>
|
||||
|
Loading…
Reference in New Issue
Block a user