Theme Customizer: Block non-existent or non-allowed themes, unless the non-allowed theme is the active theme. Support a user having edit_theme_options xor switch_themes. fixes #20852.

git-svn-id: https://develop.svn.wordpress.org/trunk@21010 602fd350-edb4-49c9-b593-d223f7449a82
2026-03-31 10:44:26 +00:00 · 2012-06-06 20:34:24 +00:00
parent 8f4c41a2dd
commit 7996c82427
7 changed files with 67 additions and 57 deletions
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -13,11 +13,6 @@ if ( ! current_user_can( 'edit_theme_options' ) )

 global $wp_scripts, $wp_customize;

-wp_reset_vars( array( 'theme' ) );
-
-if ( ! $theme )
-	$theme = get_stylesheet();
-
 $registered = $wp_scripts->registered;
 $wp_scripts = new WP_Scripts;
 $wp_scripts->registered = $registered;
@@ -48,7 +43,7 @@ do_action( 'customize_controls_print_scripts' );
 </head>
 <body class="wp-full-overlay">
 	<form id="customize-controls" class="wrap wp-full-overlay-sidebar">
-		<?php wp_nonce_field( 'customize_controls' ); ?>
+		<?php wp_nonce_field( 'customize_controls-' . $wp_customize->get_stylesheet() ); ?>
 		<div id="customize-header-actions" class="wp-full-overlay-header">
 			<?php
 				$save_text = $wp_customize->is_theme_active() ? __( 'Save &amp; Publish' ) : __( 'Save &amp; Activate' );