r42986 introduced the beginnings of an Ajax handler for processing requests to erase personal data. At the time, a method for marking requests as completed was planned, but had not yet been created. This commit introduces that mechanism, bringing the erasure process closer to completion.
Props coreymckrill, allendav.
Fixes#43922.
git-svn-id: https://develop.svn.wordpress.org/trunk@43185 602fd350-edb4-49c9-b593-d223f7449a82
r43008 refactored the request flow to make several improvements, but accidentally marked `completed` requests as `confirmed`. This commit restores the intended statuses, so that the data and corresponding UI reflect reality.
Props allendav, birgire.
Fixes#43913.
git-svn-id: https://develop.svn.wordpress.org/trunk@43183 602fd350-edb4-49c9-b593-d223f7449a82
Whenever an admin initiates a download or email of a personal data export, a fresh copy of the file is generated. Previously, a new filename was used each time, which could lead to situations where a URL that was emailed to a data subject is broken.
That can be avoided by reusing the same filename when building fresh archives.
Props desrosj, tz-media, allendav.
Fixes#43905.
git-svn-id: https://develop.svn.wordpress.org/trunk@43180 602fd350-edb4-49c9-b593-d223f7449a82
The new features are very important for some users, because of their GDPR obligations. They're also spread across multiple top-level menus, making them less discoverable. An admin pointer will help to ensure that users are aware of the new tools and how to find them.
Props desrosj, andreamiddleton, allendav, xkon.
Fixes#43942.
git-svn-id: https://develop.svn.wordpress.org/trunk@43158 602fd350-edb4-49c9-b593-d223f7449a82
The personal data export and erasure tools allow plugins to register their own callbacks, in order to add additional data to the export and erasure processes. Previously, these were registered without specifying a constant identifier in the array of callbacks. Using mutable integers makes it difficult for plugins to modify the callbacks of other plugins, though.
Using associative array keys instead provides a covenient and reliable way to identify and interact with another plugin's callbacks.
Props desrosj, allendav, ocean90.
Fixes#43931.
git-svn-id: https://develop.svn.wordpress.org/trunk@43154 602fd350-edb4-49c9-b593-d223f7449a82
- Insert both the text and tutorial in new policy pages and highlight is brightly in the editor.
- Show only the suggested text in the policy postbox.
Props melchoyce, azaozz.
See #43473.
git-svn-id: https://develop.svn.wordpress.org/trunk@43146 602fd350-edb4-49c9-b593-d223f7449a82
Multisite networks have a variety of use cases, and in many of them single-site administrators are not trusted to take actions that affect the whole network, require making decisions about legal compliance, etc. By default, those actions should require super admin capabilities. Plugins can be used to override that behavior if a particular site's use case calls for it.
Props allendav, jeremyfelt, iandunn.
Fixes#43919.
git-svn-id: https://develop.svn.wordpress.org/trunk@43085 602fd350-edb4-49c9-b593-d223f7449a82
This runs immediately after the data export file has been successfully created, allowing plugins to introduce some workflow customizations. For example, a plugin could password-protect the export file, for peace of mind, even though the CSPRN in the filename makes brute force attacks nearly impossible.
See #43546.
git-svn-id: https://develop.svn.wordpress.org/trunk@43047 602fd350-edb4-49c9-b593-d223f7449a82
The primary means of protecting the files is the CSPRN appended to the filename, but there is no reason to keep the files after the data subject has downloaded them, so deleting them provides an additional layer of protection. Previously this was done from `wp_privacy_generate_personal_data_export_file()`, but that does not guarantee that it will be run regularly, and on smaller sites that could result in export files being exposed for much longer than necessary.
`wp_privacy_delete_old_export_files()` was moved to a front end file, so that it can be called from `cron.php`.
This introduces the `wp_privacy_export_expiration` filter, which allows plugins to customize how long the exports are kept before being deleted.
`index.html` was added to the `$exclusions` parameter of `list_files()` to make sure that it isn't deleted. If it were, then poorly-configured servers would allow the directory to be traversed, exposing all of the exported files.
Props iandunn, desrosj.
See #43546.
git-svn-id: https://develop.svn.wordpress.org/trunk@43046 602fd350-edb4-49c9-b593-d223f7449a82
`rand()` is deterministic and therefore offers much less protection in this context. `wp_generate_password()` is a convenient wrapper around `wp_rand()`, which uses `random_int()` to generate cryptographically-secure psuedorandom numbers.
See #43546.
git-svn-id: https://develop.svn.wordpress.org/trunk@43045 602fd350-edb4-49c9-b593-d223f7449a82
By making the pagination links use the default style for buttons, color contrast
is improved and the CSS is simplified. Improves consistency with other UI controls.
Also, slightly increases the white space below the pagination links.
Props benoitchantre, afercia.
Fixes#41858.
git-svn-id: https://develop.svn.wordpress.org/trunk@43019 602fd350-edb4-49c9-b593-d223f7449a82
The updated version of the nag is shorter, more on point and less aggressive than the previous one. It integrates better with the other dashboard widgets and fixes several accessibility concerns. A yellow warning color is used when the current PHP version is outdated, a red error color is used when it is also insecure.
Props afercia, birgire, danieltj, flixos90, johnjamesjacoby, karmatosed, Luciano Croce, nerrad, pento, schlessera, SergeyBiryukov, sonjaleix.
Fixes#41191.
git-svn-id: https://develop.svn.wordpress.org/trunk@43006 602fd350-edb4-49c9-b593-d223f7449a82
This iterates on earlier versions of the code, in order to handle more edge cases. An arbitrary string like `or=\"` will now be stripped, as well as reachability scopes like `%eth0`.
Props eamax, soulseekah, iandunn.
Fixes#41083.
git-svn-id: https://develop.svn.wordpress.org/trunk@42968 602fd350-edb4-49c9-b593-d223f7449a82
* When show_split_view argument false, show title changes in a single column and only show title once if title is unchanged.
Props johnbillion, mbelchev.
Fixes#42402.
git-svn-id: https://develop.svn.wordpress.org/trunk@42966 602fd350-edb4-49c9-b593-d223f7449a82
This changeset adjusts the tone of the message to fit the usual core voice better and addresses accessibility concerns.
Props schlessera.
See #41191.
git-svn-id: https://develop.svn.wordpress.org/trunk@42891 602fd350-edb4-49c9-b593-d223f7449a82
`edit_user()` can also update user roles but was still using the `edit_users` capability instead of the newer `promote_users` capability introduced in [14176].
This makes the role handling consistent with the bulk dropdown menu for role changes.
Props flixos90, johnjamesjacoby, ocean90.
Fixes#42564.
git-svn-id: https://develop.svn.wordpress.org/trunk@42855 602fd350-edb4-49c9-b593-d223f7449a82
A new global multisite table `wp_blogmeta` is added to the database schema, and a set of `*_site_meta()` API functions are introduced.
The implementation fails gracefully when the new table is not yet available, which may happen especially shortly after the core update, before the network has been upgraded to the new database schema. The presence of the table is detected once and stored as a global setting on the main network.
Core does not yet use site metadata, but there are several use-cases to be implemented or explored in the near future, and it allows plugins to extend sites with arbitrary data, which will come in particularly handy with the upcoming REST API endpoint for sites.
Props spacedmonkey, johnjamesjacoby, jeremyfelt, flixos90.
Fixes#37923.
git-svn-id: https://develop.svn.wordpress.org/trunk@42836 602fd350-edb4-49c9-b593-d223f7449a82
This new dashboard widget is shown on WordPress sites which are powered by a PHP version which WordPress considers outdated, in order to inform site owners about the resulting problems and to explain how to upgrade to a supported version. An education page for that purpose has been previously created that the widget links to. The link is translatable so that localized versions of the page can be referred to as they become available.
The nag follows the example of the Browse Happy dashboard widget and is only visible for administrators, or network administrators when using multisite. To determine whether it needs to be displayed, a new wordpress.org API introduced prior is called that handles the version logic in a centralized location.
Props flixos90, hedgefield, schlessera.
Fixes#41191.
git-svn-id: https://develop.svn.wordpress.org/trunk@42832 602fd350-edb4-49c9-b593-d223f7449a82
This allows referrer-restricted content from third parties (such as images and fonts) to continue working in the admin area.
Props aranwer104, qcmiao
Fixes#43285
git-svn-id: https://develop.svn.wordpress.org/trunk@42830 602fd350-edb4-49c9-b593-d223f7449a82
WordPress.org currently supports up to 5 million, and with the growth of WordPress, it's expected that that upper bound will increase in the future.
Fixes#43193.
git-svn-id: https://develop.svn.wordpress.org/trunk@42829 602fd350-edb4-49c9-b593-d223f7449a82
Add missing translator comments in `WP_Theme_Install_List_Table` and `wp_notify_postauthor()`.
Add missing commas in some translator comments.
Fixes#43523.
git-svn-id: https://develop.svn.wordpress.org/trunk@42827 602fd350-edb4-49c9-b593-d223f7449a82
For a number of years, the "Available Widgets" section has been off-limits for
keyboard users. Now it can be used also with the keyboard. This change introduces
also some improvements for assistive technologies.
- makes the widget toggles focusable and adds an `aria-expanded` attribute to indicate their state
- improves the toggles labelling to clarify context (add/edit)
- changes the controls to choose a sidebar from list items to buttons
- adds an `aria-label` attribute to the buttons to clarify their purpose
- adds an `aria-pressed` attribute to the buttons to indicate which one is selected
- improves color contrast of the selected button
- uses a `wp.a11y.speak()` message to announce to screen reader users when a widget has been added to a sidebar
- moves focus back to the toggle button when closing a widget
See #40677.
git-svn-id: https://develop.svn.wordpress.org/trunk@42794 602fd350-edb4-49c9-b593-d223f7449a82
For a number of years, the link to the Widgets screen "Accessibility mode" lived
in the Screen Options panel, hidden by default. Many users, including assistive
technologies users, weren't able to find it or even aware it existed. By bringing
the link in the main screen, visible by default, this change makes the
"Accessibility mode" easily discoverable for everyone.
Props chetan200891, antonioeatgoat.
Fixes#42778.
git-svn-id: https://develop.svn.wordpress.org/trunk@42790 602fd350-edb4-49c9-b593-d223f7449a82
The error response body size is limited to 1 KB by default to avoid taking up too much memory. The size can be increased using `download_url_error_max_body_size` filter.
Props soulseekah, campusboy1987, mihdan, SergeyBiryukov.
Fixes#43329.
git-svn-id: https://develop.svn.wordpress.org/trunk@42773 602fd350-edb4-49c9-b593-d223f7449a82
For better accessibility and semantics, user interface controls that perform an
action should be buttons. Links should exclusively be used for navigation.
Props Cheffeid, audrasjb, afercia.
See #43382, #38677.
Fixes#43376.
git-svn-id: https://develop.svn.wordpress.org/trunk@42767 602fd350-edb4-49c9-b593-d223f7449a82
At the time, having both `required` and `aria-required` meant a wider range of support for browsers and assistive technology. Today, it's safe to use just `required`.
Props shital-patel, afercia, audrasjb.
Fixes#43415.
git-svn-id: https://develop.svn.wordpress.org/trunk@42759 602fd350-edb4-49c9-b593-d223f7449a82
This tag has been used in the past, but should no longer be used. Just using the `static` keyword in code is enough for PhpDocumentor on PHP5+ to recognize static variables and methods, and PhpDocumentor will mark them as static.
Props birgire.
See #42803.
git-svn-id: https://develop.svn.wordpress.org/trunk@42747 602fd350-edb4-49c9-b593-d223f7449a82
This tag has been used in the past, but should no longer be used. Just using the `static` keyword in code is enough for PhpDocumentor on PHP5+ to recognize static variables and methods, and PhpDocumentor will mark them as static.
Props birgire.
See #42803.
git-svn-id: https://develop.svn.wordpress.org/trunk@42745 602fd350-edb4-49c9-b593-d223f7449a82
Reverts unit test removal, instead changing them to expect the function to be deprecated.
Correct the version the ajax callback was deprecated.
Amends [42614].
Props dlh, ocean90.
Fixes#38922.
git-svn-id: https://develop.svn.wordpress.org/trunk@42737 602fd350-edb4-49c9-b593-d223f7449a82
For better accessibility and semantics, user interface controls that perform an
action should be buttons. Links should exclusively be used for navigation.
See #38677 / [42725].
Fixes#43382.
git-svn-id: https://develop.svn.wordpress.org/trunk@42727 602fd350-edb4-49c9-b593-d223f7449a82
WordCamps are celebrations of the local WordPress Community and once a local one is scheduled, people in that community should know it is coming. This adjusts the WordPress Events in the dashboard widgets to always display a WordCamp, even if there are multiple Meetups happening first.
Props iandunn, metalandcoffee, warmlaundry, alejandroxlopez, jorbin.
Fixes#41112.
git-svn-id: https://develop.svn.wordpress.org/trunk@42726 602fd350-edb4-49c9-b593-d223f7449a82
For better accessibility and semantics, user interface controls that perform an
action should be buttons. Links should exclusively be used for navigation. Also,
adds an `aria-expanded` attribute to the button to communicate to assistive
technologies the expanded / collapsed status of the Quick Edit form.
Props Cheffheid, audrasjb, afercia.
Fixes#38677.
git-svn-id: https://develop.svn.wordpress.org/trunk@42725 602fd350-edb4-49c9-b593-d223f7449a82
This filter shows comments made by the current user, and copies the same filter functionality that's available on the post listing screens.
Props Iceable
Fixes#42379
git-svn-id: https://develop.svn.wordpress.org/trunk@42684 602fd350-edb4-49c9-b593-d223f7449a82
While intended as a playful error message, `Cheatin’ uh?` can be interpreted as insulting or accusatory in an already stressful situation. This replaces Cheatin’ with more meaningful error messages, depending on the error that occurs.
Props ElectricFeet, EricMeyer, karmatosed, dd32, BandonRandon, melchoyce for language; dmsnell for original patch; peterwilsoncc.
Fixes#38332.
git-svn-id: https://develop.svn.wordpress.org/trunk@42648 602fd350-edb4-49c9-b593-d223f7449a82
Deprecate wp_ajax_ajax_tag_search and switch to using the REST API when searching tags in the tags meta box.
Props nacin, chriscct7, afercia, swissspidy, jnylen0, rmccue, ryelle.
Fixes#38922.
git-svn-id: https://develop.svn.wordpress.org/trunk@42614 602fd350-edb4-49c9-b593-d223f7449a82
JSHint inherits a license from JSLint that includes the clause "The Software shall be used for Good, not Evil." WordPress's license specifically allows grants the freedom to run the program, for any purpose. Please note, this is not an encouragement of evil. Rather than doing something evil, how about learning to love those around you. Instead of tweeting lies and saying people are "Not Good!", help your neighbor. In the words of Lin Manual Miranda, "Love is love is love is love is love is love is love is love, cannot be killed or swept aside."
This replaces JSHint with esprima, a part of the larger jQuery project, and a custom wrapper for some basic error checking within codemirror.
The existing JSHint configuration is kept in place in case someone wants to use that, but they can only do so for Good.
Fixes#42850
Props netweb for a spelling fix on a comment.
git-svn-id: https://develop.svn.wordpress.org/trunk@42547 602fd350-edb4-49c9-b593-d223f7449a82
Add `comments_list_table_query_args` filter to the Comments List Table.
Props soulseekah, birgire.
Fixes#42997.
git-svn-id: https://develop.svn.wordpress.org/trunk@42420 602fd350-edb4-49c9-b593-d223f7449a82
On the "Attachment Details" screen:
* The crop button is always 'enabled'.
* Clicking the crop button with no selection selects the entire image.
* Clicking the crop button with the entire image selected doesn't do anything.
* Clicking the crop button with a selection crops as expected.
Props sonjanyc, afercia, mikeschroder.
Fixes#30155.
git-svn-id: https://develop.svn.wordpress.org/trunk@42404 602fd350-edb4-49c9-b593-d223f7449a82
WordPress' code just... wasn't.
This is now dealt with.
Props jrf, pento, netweb, GaryJ, jdgrimes, westonruter, Greg Sherwood from PHPCS, and everyone who's ever contributed to WPCS and PHPCS.
Fixes#41057.
git-svn-id: https://develop.svn.wordpress.org/trunk@42343 602fd350-edb4-49c9-b593-d223f7449a82
This allows showing a name when only the first or last name is provided.
Props shital-patel, antipole.
Fixes#42713.
git-svn-id: https://develop.svn.wordpress.org/trunk@42256 602fd350-edb4-49c9-b593-d223f7449a82
We have a handful of super long regexen that are written over multiple lines, as a collection of strings concatenated together. Each string is indented appropriately for the regex, but PHPCS doesn't recognised this, so defaults to removing the extra whitespace.
Disabling the `Squiz.Strings.ConcatenationSpacing.PaddingFound` rule for these blocks stops the extra whitespace from being removed.
See #41057.
git-svn-id: https://develop.svn.wordpress.org/trunk@42249 602fd350-edb4-49c9-b593-d223f7449a82
This fixes theme editing on Windows platforms where `validate_file()` will return `2` on a full file path.
Fixes#42609.
git-svn-id: https://develop.svn.wordpress.org/trunk@42244 602fd350-edb4-49c9-b593-d223f7449a82
While caching here seemed like a good idea in theory, in practice the cache would be often stale causing development issues.
We exclude common folders (such as `node_modules`) from the scanning to avoid directories which are not useful to the end-user, so as long as those exclusion lists are held up this shouldn't cause too much of a degredation in the future.
We may consider adding caching here again in the future if it's determined that it is really needed.
Props precies, ibenic, mariovalney, schlessera, and all the others who commented on the ticket(s).
This partually reverts [41806].
See #6531.
Fixes#42573.
git-svn-id: https://develop.svn.wordpress.org/trunk@42242 602fd350-edb4-49c9-b593-d223f7449a82
The WPCS `WordPress.WhiteSpace.PrecisionAlignment` rule throws warnings for a bunch of code that will likely cause issues for `wpcbf`. Fixing these manually beforehand gives us better auto-fixed results later.
See #41057.
git-svn-id: https://develop.svn.wordpress.org/trunk@42228 602fd350-edb4-49c9-b593-d223f7449a82
Using a filename which was generated from `time()` could cause two processes to try to use the same filename, causing unexpected behaviour.
Props jrchamp, bikecrazyy.
Fixes#42265.
git-svn-id: https://develop.svn.wordpress.org/trunk@42224 602fd350-edb4-49c9-b593-d223f7449a82
This pattern occurs a handful of times across the codebase:
`<div class="foo<?php if ( $bar ) { echo ' baz'; } ?>">`
Unfortunately, it doesn't really play nicely with `phpcbf`, so all instances need to be removed in preperation for auto code formatting.
See #41057.
git-svn-id: https://develop.svn.wordpress.org/trunk@42217 602fd350-edb4-49c9-b593-d223f7449a82
The fix in [41821] caused numeric folder names to be reindexed to 0..n when in the root directory (for example, `my-plugin/24/`).
Props edo888.
See #41524.
Fixes#42628 for trunk.
git-svn-id: https://develop.svn.wordpress.org/trunk@42214 602fd350-edb4-49c9-b593-d223f7449a82
The `meta_box_cb` argument was introduced in [25572] to allow plugin
authors to provide a custom callback for rendering their taxonomy's meta
box on the post edit screen. However, the routine used to handle the saving
of these custom taxonomy meta boxes was not customizable, but was instead
based simply on whether the taxonomy was hierarchicaly. See [13535].
The new `meta_box_sanitize_cb` argument defaults to the "tag" routine for
non-hierarchical taxonomies and the "category" routine for hierarchical ones,
thereby maintaining the current default behavior. Developers can override this
when the data passed from their `meta_box_cb` differs.
Props boonebgorges, ZaneMatthew, stephenharris.
Fixes#36514.
git-svn-id: https://develop.svn.wordpress.org/trunk@42211 602fd350-edb4-49c9-b593-d223f7449a82
Fixes a bug where files couldn't be accessed in multisite installs.
Props flixos90, westonruter.
Fixes#42420.
git-svn-id: https://develop.svn.wordpress.org/trunk@42115 602fd350-edb4-49c9-b593-d223f7449a82
Prevent edits to 2-level deep theme files from returning a `disallowed_theme_file` error when attempting to save an edit. Aligns logic for gathering `$allowed_files` in `theme-editor.php` for listing files with the validation logic in `wp_edit_theme_plugin_file()`.
Amends [41806].
See #6531.
Fixes#42425.
git-svn-id: https://develop.svn.wordpress.org/trunk@42112 602fd350-edb4-49c9-b593-d223f7449a82
This now treats files containing `./` as valid, and also treats files containing a trailing `../` as valid due to widespread use of this pattern in theme and plugin zip files.
Adds tests.
Props Ipstenu, borgesbruno, DavidAnderson, philipjohn, birgire
Fixes#42016, #36170
git-svn-id: https://develop.svn.wordpress.org/trunk@42011 602fd350-edb4-49c9-b593-d223f7449a82
* Allow updating oEmbed cache during `parse-embed` requests for non-post editors (such as widgets).
* Update any existing `oembed_cache` post when `usecache` and TTL has passed.
* Do not overwrite a previously valid cache with `{{unknown}}`.
Props dlh.
See #34115.
Fixes#42310.
git-svn-id: https://develop.svn.wordpress.org/trunk@42009 602fd350-edb4-49c9-b593-d223f7449a82
Adds checks throughout to allow for `wp_new_comment()` returning a `WP_Error` instance.
Updates the docs for the `pre_comment_approved` filter to include that it can be passed an error.
Props enrico.sorcinelli, ryotsun.
Fixes#39730.
git-svn-id: https://develop.svn.wordpress.org/trunk@41980 602fd350-edb4-49c9-b593-d223f7449a82
Reverting this for 4.9. It will be added back in a future version of WordPress. This doesn't mean that you shouldn't be trying Gutenberg, just that it isn't ready for a call out to a larger audience. But if you are the type to read commit messages, https://github.com/WordPress/gutenberg could use your pull requests and comments on issues.
Reverts [41931] [41900] [41896] [41895]
See #41316
git-svn-id: https://develop.svn.wordpress.org/trunk@41978 602fd350-edb4-49c9-b593-d223f7449a82
When media is uploaded to a post, the upload directory is set according to the date of the post, so that the media URLs in the post match when the post was published.
A page is a slightly different beast, pages often live for years, and are regularly updated to stay relevant. This change causes media uploaded to pages to use the upload date to determine the upload directory.
Fixes#10752.
git-svn-id: https://develop.svn.wordpress.org/trunk@41964 602fd350-edb4-49c9-b593-d223f7449a82
As of #34115 if there is no post context the oEmbed will be cached in an `oembed_cache` custom post type, so having a post as context is no longer a requirement for caching.
Props biskobe, westonruter.
See #34115, #40450.
Fixes#40854.
git-svn-id: https://develop.svn.wordpress.org/trunk@41913 602fd350-edb4-49c9-b593-d223f7449a82
To encourage more people to try Gutenberg, this new Dashboard box allows site users to easily install and try out Gutenberg.
Props pento, melchoyce, joen, karmatosed.
Fixes#41316.
git-svn-id: https://develop.svn.wordpress.org/trunk@41895 602fd350-edb4-49c9-b593-d223f7449a82
* Update stubs to have draft status when changeset is saved as draft, instead of preventing auto-draft garbage collection by giving them a far-future `post_date`.
* Show notice in publish metabox when editing a customization draft indicating that it will be published automatically with its changeset; a link to Customizer is included.
* Include a new "Customization Draft" display post state in the post list table.
* Disconnect stubs from their changesets when they are updated with a status other than "Draft".
* Trash customization drafts when their related changeset is trashed or deleted.
* Add a `_customize_changeset_uuid` postmeta to stubs to link them with their associated changeset.
* Include `customize_changeset_uuid` as context when requesting to insert a new auto-draft.
Props westonruter, melchoyce.
See #39896, #39752, #34923.
Fixes#42220.
git-svn-id: https://develop.svn.wordpress.org/trunk@41887 602fd350-edb4-49c9-b593-d223f7449a82
The theme and plugin editors now list all files in the selected theme or plugin, recursing through subdirectories as necessary.
Props WraithKenny, schlessera, chsxf, MikeHansenMe, Daedalon, valendesigns, westonruter, pento.
Fixes#6531.
git-svn-id: https://develop.svn.wordpress.org/trunk@41806 602fd350-edb4-49c9-b593-d223f7449a82
* Increase PHP execution time limit prior to issuing loopback requests where are themselves given timeouts to ensure PHP file can be reverted.
* Output scrape messages on success and failure so that absence of either can also be flagged as an error condition.
* Forward browser's HTTP Basic Auth credentials in loopback requests to admin and home URL.
* Display more helpful message when loopback request fails.
Amends [41721].
See #21622.
Fixes#42102.
git-svn-id: https://develop.svn.wordpress.org/trunk@41805 602fd350-edb4-49c9-b593-d223f7449a82
* Open the door for future browser history feature in #28536, which is currently not feasible when customize-loader is used.
* Remove customizer-loader from being used on admin screens for Dashboard, Themes, non-shiny theme install/update.
* Keep the customize-loader functionality available for plugins, for the time being. It may become deprecated.
* Ensure `return` param in customizer links in Themes screen update to reflect `search` updated by `pushState`.
* Persist `return` when reloading Customizer due to theme switch, autosave restoration, or changeset trashing.
* Use `location.replace()` instead of changing `location.href` when trashing.
* Hide theme browser while Themes screen is loading when there is a `search` to prevent flash of unfiltered themes.
* Use throttling instead of debouncing when searching themes to ensure that screen is updated immediately on page load.
* Fix encoding and decoding of `search` param between URL and search field.
* Add support for dismissing autosaves when closing customize-loader, when it is used by plugins.
* Skip sending changeset UUID to customize-loader for population in browser location if changeset branching is not enabled.
See #28536.
Fixes#40254.
git-svn-id: https://develop.svn.wordpress.org/trunk@41797 602fd350-edb4-49c9-b593-d223f7449a82
- Remove plugins icons from the plugin list table, as there were performance issues loading the icons when the site had lots of plugins.
- Depending on which icons the plugin has uploaded, prefer them in this order: `svg`, `128x128`, `256x256`.
- Improve the style of the fallback icon for plugins that don't have an icon defined.
Props Travel_girl, danieltj, afercia, karmatosed,hugobaeta, empireoflight, brentjett, melchoyce, pento.
Fixes#30186.
git-svn-id: https://develop.svn.wordpress.org/trunk@41755 602fd350-edb4-49c9-b593-d223f7449a82
When able to be parsed, store the created date for a video file from meta,
since this is useful separately from the dates on the file itself.
Introduces `wp_get_media_creation_timestamp()` to read the timestamp from
getID3 and a `wp_read_video_metadata` filter analogous to
`wp_read_image_metadata`.
Fixes#35218.
Props stevegrunwell, joemcgill, desrosj, blobfolio, mikeschroder.
git-svn-id: https://develop.svn.wordpress.org/trunk@41746 602fd350-edb4-49c9-b593-d223f7449a82
This sets a referrer policy of `same-origin` which adds hardening by preventing a referrer being sent from the admin area or login screens to other origins. This helps prevent unwanted exposure of potentially sensitive information that may be contained within URLs.
This change introduces a new filter, `admin_referrer_policy`, for filtering the referrer policy header value. The header can be disabled if necessary by removing the `wp_admin_headers` action from the `admin_init` and `login_init` hooks.
Props joostdevalk
Fixes#42036
git-svn-id: https://develop.svn.wordpress.org/trunk@41741 602fd350-edb4-49c9-b593-d223f7449a82
* Edits to active plugins which cause PHP fatal errors will no longer auto-deactivate the plugin. Supersedes #39766.
* Introduce sandboxed PHP file edits for active themes, preventing accidental whitescreening of a user's site when introducing a fatal error.
* After writing a change to a PHP file for an active theme or plugin, perform loopback requests on the file editor admin screens and the homepage to check for fatal errors. If a fatal error is encountered, roll back the edited file and display the error to the user to fix and try again.
* Introduce a secure way to scrape PHP fatal errors from a site via `wp_start_scraping_edited_file_errors()` and `wp_finalize_scraping_edited_file_errors()`.
* Moves file modifications from `theme-editor.php` and `plugin-editor.php` to common `wp_edit_theme_plugin_file()` function.
* Refactor themes and plugin editors to submit file changes via Ajax instead of doing full page refreshes when JS is available.
* Use `get` method for theme/plugin dropdowns.
* Improve styling of plugin editors, including width of plugin/theme dropdowns.
* Improve notices API for theme/plugin editor JS component.
* Strip common base directory from plugin file list. See #24048.
* Factor out functions to list editable file types in `wp_get_theme_file_editable_extensions()` and `wp_get_plugin_file_editable_extensions()`.
* Scroll to line in editor that has linting error when attempting to save. See #41886.
* Add checkbox to dismiss lint errors to proceed with saving. See #41887.
* Only style the Update File button as disabled instead of actually disabling it for accessibility reasons.
* Ensure that value from CodeMirror is used instead of `textarea` when CodeMirror is present.
* Add "Are you sure?" check when leaving editor when there are unsaved changes.
Supersedes [41560].
See #39766, #24048, #41886.
Props westonruter, Clorith, melchoyce, johnbillion, jjj, jdgrimes, azaozz.
Fixes#21622, #41887.
git-svn-id: https://develop.svn.wordpress.org/trunk@41721 602fd350-edb4-49c9-b593-d223f7449a82
To mirror theme list table behaviour, the plugin icon now appears next to plugins in the plugin list tables. For plugins that don't have an icon, or non-W.org plugins, a fallback dashicon is shown.
Props melchoyce, afercia, paulwilde, pento, obenland.
Fixes#30186.
git-svn-id: https://develop.svn.wordpress.org/trunk@41695 602fd350-edb4-49c9-b593-d223f7449a82
- uses the core `notice` styles for the Quick Edit form inline error messages
- adds missing periods at the end of a few error messages
Props ocean90, karmatosed, melchoyce, afercia.
Fixes#35496.
git-svn-id: https://develop.svn.wordpress.org/trunk@41684 602fd350-edb4-49c9-b593-d223f7449a82
The `aria-current` attribute is a simple, effective way to help assistive
technologies users orientate themselves within a list of items. Continues the
introduction in core of the `aria-current` attribute after [41359] and [41371].
Props joedolson, flixos90, afercia.
Fixes#32399.
git-svn-id: https://develop.svn.wordpress.org/trunk@41683 602fd350-edb4-49c9-b593-d223f7449a82
`get_current_blog_id()` is more appropriate for determining the ID of the current site in most cases. This eliminates the need for the global `$wpdb` in several functions and is better than the implicit global used in admin pages.
Props bnap00, spacedmonkey.
Fixes#41684.
git-svn-id: https://develop.svn.wordpress.org/trunk@41661 602fd350-edb4-49c9-b593-d223f7449a82
- sets the modal content to `role="document"` to make screen readers switch back to browse mode
- standardizes the Themes screen and Customizer modals interaction
- Themes screen modal: sets initial focus on the modal overlay instead of the primary button, avoiding to "skip" content for keyboard and screen reader users
Fixes#42055.
git-svn-id: https://develop.svn.wordpress.org/trunk@41658 602fd350-edb4-49c9-b593-d223f7449a82
Unify the theme-browsing and theme-customization experiences by introducing a comprehensive theme browser and installer directly accessible in the customizer. Replaces the customizer theme switcher with a full-screen panel for discovering/browsing and installing themes available on WordPress.org. Themes can now be installed and previewed directly in the customizer without entering the wp-admin context. Also includes an extensible framework for browsing and installing themes from other sources.
Also includes CSS auto-prefixing added via `grunt precommit:css`.
For details, see: https://make.wordpress.org/core/2016/10/03/feature-proposal-a-new-experience-for-discovering-installing-and-previewing-themes-in-the-customizer/
Previously [38813] but reverted in [39140].
Fixes#37661, #34843, #38666.
Props celloexpressions, folletto, westonruter, karmatosed, melchoyce, afercia.
git-svn-id: https://develop.svn.wordpress.org/trunk@41648 602fd350-edb4-49c9-b593-d223f7449a82
To bring Core into line with the changes to `$wpdb->prepare()` in WordPress 4.8.2, query placeholders shouldn't be quoted.
Props jrf, johnjamesjacoby.
Fixes#41983.
git-svn-id: https://develop.svn.wordpress.org/trunk@41628 602fd350-edb4-49c9-b593-d223f7449a82
- uses button elements for the toggles
- uses `aria-expanded` on the toggles to communicate to assistive technologies the panels expanded/collapsed state
- adds the "circular focus" style to the toggles to give users a clear indication of the currently focused element
- standardizes CSS class names to `.toggle-indicator` and `.handlediv` as these names are already used across the admin for similar controls
Props monikarao, xavortm, mihai2u, Kopepasah.
Fixes#37013.
git-svn-id: https://develop.svn.wordpress.org/trunk@41621 602fd350-edb4-49c9-b593-d223f7449a82
admin email address on Multisite.
This mirrors the same functionality for the site admin email address and user profile email address.
Fixes#41254
git-svn-id: https://develop.svn.wordpress.org/trunk@41617 602fd350-edb4-49c9-b593-d223f7449a82
Calling the `count_users()` function is expensive, regardless of the counting strategy that's used, and it gets
slower the more users there are on a site. In order to speed up the Users screen in the admin area, calling
`count_users()` can be avoided entirely while still displaying the total count for users.
This introduces some new functions:
* `wp_is_large_user_count()`
* `wp_get_active_user_count()`
* `wp_update_active_user_count()`
A corresponding `wp_is_large_user_count` filter is also introduced.
Props tharsheblows, johnbillion
Fixes#38741
git-svn-id: https://develop.svn.wordpress.org/trunk@41613 602fd350-edb4-49c9-b593-d223f7449a82
This unifies the layout and wording of error messages on both the plugins screen and the themes screen.
Props tinkerbelly, juhise, Ankit K Gupta, m1tk00, swissspidy, mrahmadawais, danieltj.
Fixes#37430.
git-svn-id: https://develop.svn.wordpress.org/trunk@41608 602fd350-edb4-49c9-b593-d223f7449a82
This also standardises the `User-Agent` used when communicating with WordPress.org, allowing for more consistent version detection.
Fixes#42004.
git-svn-id: https://develop.svn.wordpress.org/trunk@41605 602fd350-edb4-49c9-b593-d223f7449a82
Changes the highlighted tag buttons accordingly when selecting one of the commong permalink settings.
Deprecates `options_permalink_add_js()` as that JavaScript isn't added inline anymore.
Fixes#29872.
git-svn-id: https://develop.svn.wordpress.org/trunk@41598 602fd350-edb4-49c9-b593-d223f7449a82
An unordered list allows screen reader users to know in advance how many tags are within the list.
Props audrasjb, afercia.
Fixes#40187.
git-svn-id: https://develop.svn.wordpress.org/trunk@41563 602fd350-edb4-49c9-b593-d223f7449a82
* Invalidate PHP opcache after file is updated to ensure `include` will ''include'' the written changes.
* Define `WP_ADMIN` when activating plugin in sandbox so plugin code targeting admin will be loaded.
* Do actions that get triggered when loading the admin to ensure plugin code runs that could cause errors on plugin editor screen (and lock out access).
* Fix ability to re-activate a plugin after editing a PHP file other than the main plugin file, and ensure PHP fatal error will be displayed in such cases.
* Consolidate duplicated code into `plugin_sandbox_scrape()` and re-use in `activate_plugin()`.
* Show an error notice instead of a success notice when a file is updated but a plugin was deactivated due to a fatal error.
* Update style of warning when editing an active plugin to be styled as an actual warning notice.
See #12423, #21622.
Fixes#39766.
git-svn-id: https://develop.svn.wordpress.org/trunk@41560 602fd350-edb4-49c9-b593-d223f7449a82
When preparing the data for the revisions screen, add ' +0000' to the gmt date string before passing it thru `strtotime`.
Props biranit, nacin, buley.
Fixes#25365.
git-svn-id: https://develop.svn.wordpress.org/trunk@41559 602fd350-edb4-49c9-b593-d223f7449a82
- Refactor swfupload.js to output a simple upload form, and handlers.js.
- Delete the SWFUpload plugins directory and swfupload.swf.
- Remove flash cookies "hack" from async-upload.php.
See #41752.
git-svn-id: https://develop.svn.wordpress.org/trunk@41554 602fd350-edb4-49c9-b593-d223f7449a82
* Code editor is integrated into the Theme/Plugin Editor, Additional CSS in Customizer, and Custom HTML widget. Code editor is not yet integrated into the post editor, and it may not be until accessibility concerns are addressed.
* The CodeMirror component in the Custom HTML widget is integrated in a similar way to TinyMCE being integrated into the Text widget, adopting the same approach for integrating dynamic JavaScript-initialized fields.
* Linting is performed for JS, CSS, HTML, and JSON via JSHint, CSSLint, HTMLHint, and JSONLint respectively. Linting is not yet supported for PHP.
* When user lacks `unfiltered_html` the capability, the Custom HTML widget will report any Kses-invalid elements and attributes as errors via a custom Kses rule for HTMLHint.
* When linting errors are detected, the user will be prevented from saving the code until the errors are fixed, reducing instances of broken websites.
* The placeholder value is removed from Custom CSS in favor of a fleshed-out section description which now auto-expands when the CSS field is empty. See #39892.
* The CodeMirror library is included as `wp.CodeMirror` to prevent conflicts with any existing `CodeMirror` global.
* An `wp.codeEditor.initialize()` API in JS is provided to convert a `textarea` into CodeMirror, with a `wp_enqueue_code_editor()` function in PHP to manage enqueueing the assets and settings needed to edit a given type of code.
* A user preference is added to manage whether or not "syntax highlighting" is enabled. The feature is opt-out, being enabled by default.
* Allowed file extensions in the theme and plugin editors have been updated to include formats which CodeMirror has modes for: `conf`, `css`, `diff`, `patch`, `html`, `htm`, `http`, `js`, `json`, `jsx`, `less`, `md`, `php`, `phtml`, `php3`, `php4`, `php5`, `php7`, `phps`, `scss`, `sass`, `sh`, `bash`, `sql`, `svg`, `xml`, `yml`, `yaml`, `txt`.
Props westonruter, georgestephanis, obenland, melchoyce, pixolin, mizejewski, michelleweber, afercia, grahamarmfield, samikeijonen, rianrietveld, iseulde.
See #38707.
Fixes#12423, #39892.
git-svn-id: https://develop.svn.wordpress.org/trunk@41376 602fd350-edb4-49c9-b593-d223f7449a82
* Mark a widget as dirty when a field input triggers a `change` or `input` event; clear dirty state when widget is successfully saved.
* Disable Save button and re-label "Saved" when widget not dirty.
* Show AYS dialog when leaving widgets admin screen with unsaved changes.
* When widgets are dirty, expand all unsaved widgets at AYS check and focus on first one.
* Change "Close" link to "Done"; hide link when widget is dirty and reveal when saved.
* The "Done" link persistently appears in the Customizer even after making a change (when the widget is dirty) because changes are autosaved into the changeset.
* Prevent saving widget when form fails `checkValidity`.
* Fix frequency of triggering of `change` event on the rich Text widget's `textarea` limited now to when there are actual changes.
* Add a class of `widget-dirty` to widget containers when the widget has unsaved changes.
Props westonruter, timmydcrawford, melchoyce.
Fixes#41610, #23120.
git-svn-id: https://develop.svn.wordpress.org/trunk@41352 602fd350-edb4-49c9-b593-d223f7449a82
When multisite is setup already, e.g. in a multi network environment, this change gives a performance benefit over the direct SQL query that was previously used. The SQL query remains in place for when setting up multisite initially as the network API is not available at that point.
Props spacedmonkey.
Fixes#41805.
git-svn-id: https://develop.svn.wordpress.org/trunk@41348 602fd350-edb4-49c9-b593-d223f7449a82
* Vine effectively shut down in December 2016.
* The oEmbed endpoint no longer works and returns a 404.
* Developer documentation for Vine has been removed.
Fixes#41817
git-svn-id: https://develop.svn.wordpress.org/trunk@41347 602fd350-edb4-49c9-b593-d223f7449a82
- Update to 2.1.9.
- Include the non-minified plupload.js and moxie.js.
- Remove support for Flash and Silverlight, the available runtime options are `html5` and `html4`.
- Delete plupload.flash.swf and plupload.silverlight.xap.
Fixes#41755.
git-svn-id: https://develop.svn.wordpress.org/trunk@41328 602fd350-edb4-49c9-b593-d223f7449a82
This fixes an issue where failures when inserting the attachment post via
`wp_insert_attachment()` would result in a return value of `0` instead of a
`WP_Error` object, as documented. This is addressed by passing `true` as the
fourth param (added in WP 4.7.0) when calling `wp_insert_attachment()`.
Props mrasharirfan, flixos90.
Fixes#41726.
git-svn-id: https://develop.svn.wordpress.org/trunk@41323 602fd350-edb4-49c9-b593-d223f7449a82
These log entries are only useful when troubleshooting unexpected results from the API, which is not common. The vast majority of users are better served by not having their logs cluttered with noise.
For the rare situations where troubleshooting is necessary, it can be achieved by a plugin (see #41217 for an example).
Props Howdy_McGee, dd32.
Fixes#41217.
git-svn-id: https://develop.svn.wordpress.org/trunk@41316 602fd350-edb4-49c9-b593-d223f7449a82
This introduces the following meta capabilities:
* `activate_plugin`
* `deactivate_plugin`
* `deactivate_plugins`
The singular `activate_plugin` and `deactivate_plugin` capabilities are used along with the corresponding plugin name when
determining whether or not a user can activate or deactivate an individual plugin.
The plural `deactivate_plugins` capability is used in place of the existing `activate_plugins` capability when determining
whether a user can deactivate plugins.
Each of these new meta capabilities map to the existing `activate_plugins` primitive capability, which means there is no
change in existing behaviour, but plugins can now filter the capabilities required to activate and deactivate individual
plugins.
Fixes#38652
git-svn-id: https://develop.svn.wordpress.org/trunk@41290 602fd350-edb4-49c9-b593-d223f7449a82
"Install" is not a noun, and while it might be acceptable to use the verb as a noun, it is not correct. Using the correct
noun, "installation", increases clarity, especially for non-native English speakers.
This change fixes the usage in user-facing text and in developer documentation.
Fixes#41620
git-svn-id: https://develop.svn.wordpress.org/trunk@41289 602fd350-edb4-49c9-b593-d223f7449a82
This change means that a user can crop an image if they have the ability to edit its attachment post, without requiring the ability to access the Customizer.
Fixes#40193
git-svn-id: https://develop.svn.wordpress.org/trunk@41270 602fd350-edb4-49c9-b593-d223f7449a82
Passing a non-null value to the filter will prevent the uploaded file from being moved to the uploads directory for any of the functions leveraging `_wp_handle_upload()`, such as `wp_handle_upload()` or `wp_handle_sideload()`.
Error reporting related to the file being moved will also be skipped.
Props ryan, Mte90.
Fixes#24603.
git-svn-id: https://develop.svn.wordpress.org/trunk@41258 602fd350-edb4-49c9-b593-d223f7449a82
This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their site.
Props MatheusGimenez, johnbillion
Fixes#39118
git-svn-id: https://develop.svn.wordpress.org/trunk@41254 602fd350-edb4-49c9-b593-d223f7449a82
This ensures continuity with the regular profile editing screen and the user admin profile editing screen.
Fixes#41635
git-svn-id: https://develop.svn.wordpress.org/trunk@41253 602fd350-edb4-49c9-b593-d223f7449a82
This change improves code clarity by using the current naming conventions for networks.
Props lemacarl.
Fixes#41510.
git-svn-id: https://develop.svn.wordpress.org/trunk@41241 602fd350-edb4-49c9-b593-d223f7449a82
Fixes a visual glitch visible on Ubuntu. WordPress uses system fonts and they have
different metrics across operating systems. Uses screen-reader-text as a more
solid way to visually hide text.
Props punit5658, afercia.
Fixes#41497.
git-svn-id: https://develop.svn.wordpress.org/trunk@41227 602fd350-edb4-49c9-b593-d223f7449a82
This makes sure that plugins hooked to `save_post` get the right post format.
Props Chouby, SergeyBiryukov.
Fixes#41396.
git-svn-id: https://develop.svn.wordpress.org/trunk@41187 602fd350-edb4-49c9-b593-d223f7449a82
This reduces the chances of a site compromise going unnoticed, in the same way that the same notifications for user account email address changes reduces the chances of a user account compromise going unnoticed.
Props MatheusGimenez, johnbillion
Fixes#39117
git-svn-id: https://develop.svn.wordpress.org/trunk@41164 602fd350-edb4-49c9-b593-d223f7449a82
This adds this previously Multisite-only functionality to single site installations too. This change prevents accidental or erroneous email address changes from potentially locking users out of their account.
Props rodrigosprimo, tharsheblows, johnbillion
Fixes#16470
git-svn-id: https://develop.svn.wordpress.org/trunk@41163 602fd350-edb4-49c9-b593-d223f7449a82
Prior to about 2013, many class methods lacked even access modifiers which made the `@access` notations that much more useful. Now that we've gotten to a point where the codebase is more mature from a maintenance perspective and we can finally remove these notations. Notable exceptions to this change include standalone functions notated as private as well as some classes still considered to represent "private" APIs.
See #41452.
git-svn-id: https://develop.svn.wordpress.org/trunk@41161 602fd350-edb4-49c9-b593-d223f7449a82
This ensures all the column titles, not just the Comments column one, are
"clean" when later reused for the Screen Options checkboxes. Also introduces
some consistency with what is already done in WP_List_Table.
Fixes#41261.
git-svn-id: https://develop.svn.wordpress.org/trunk@41148 602fd350-edb4-49c9-b593-d223f7449a82
This ensures that users who are a member of a site but have no role are correctly listed on the Users screen and can be filtered from the 'None' role filter.
Props tobi823, flixos90, scottlee
Fixes#36196
git-svn-id: https://develop.svn.wordpress.org/trunk@41138 602fd350-edb4-49c9-b593-d223f7449a82
Prior to this change, the similar help tab and sidebar for these screens were all duplicated for each respective screen. This changeset introduces two internal admin functions `get_site_screen_help_tab_args()` and `get_site_screen_help_sidebar_content()` that make these available in a centralized location.
Props atanasangelovdev.
Fixes#41167.
git-svn-id: https://develop.svn.wordpress.org/trunk@41065 602fd350-edb4-49c9-b593-d223f7449a82
This prevents "Empty Spam" and "Empty Trash" buttons from disappearing if there's only one page of comments in Spam/Trash.
Fixes#40975.
git-svn-id: https://develop.svn.wordpress.org/trunk@41022 602fd350-edb4-49c9-b593-d223f7449a82
