Theme Customizer: Block non-existent or non-allowed themes, unless the non-allowed theme is the active theme. Support a user having edit_theme_options xor switch_themes. fixes #20852.

git-svn-id: https://develop.svn.wordpress.org/trunk@21010 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin
2012-06-06 20:34:24 +00:00
parent 8f4c41a2dd
commit 7996c82427
7 changed files with 67 additions and 57 deletions

View File

@@ -125,21 +125,25 @@ class WP_Themes_List_Table extends WP_List_Table {
$version = $theme->display('Version');
$author = $theme->display('Author');
$activate_link = wp_nonce_url( "themes.php?action=activate&template=" . urlencode( $template ) . "&stylesheet=" . urlencode( $stylesheet ), 'switch-theme_' . $template );
$activate_link = wp_nonce_url( "themes.php?action=activate&template=" . urlencode( $template ) . "&stylesheet=" . urlencode( $stylesheet ), 'switch-theme_' . $stylesheet );
$preview_link = esc_url( add_query_arg(
array( 'preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'preview_iframe' => true, 'TB_iframe' => 'true' ),
home_url( '/' ) ) );
$actions = array();
$actions[] = '<a href="' . $activate_link . '" class="activatelink" title="'
$actions['activate'] = '<a href="' . $activate_link . '" class="activatelink" title="'
. esc_attr( sprintf( __( 'Activate &#8220;%s&#8221;' ), $title ) ) . '">' . __( 'Activate' ) . '</a>';
$actions[] = '<a href="' . $preview_link . '" class="hide-if-customize" title="'
. esc_attr( sprintf( __( 'Preview &#8220;%s&#8221;' ), $title ) ) . '">' . __( 'Preview' ) . '</a>'
. '<a href="' . wp_customize_url( $stylesheet ) . '" class="load-customize hide-if-no-customize">'
. __( 'Live Preview' ) . '</a>';
$actions['preview'] = '<a href="' . $preview_link . '" class="hide-if-customize" title="'
. esc_attr( sprintf( __( 'Preview &#8220;%s&#8221;' ), $title ) ) . '">' . __( 'Preview' ) . '</a>';
if ( current_user_can( 'edit_theme_options' ) )
$actions['preview'] .= '<a href="' . wp_customize_url( $stylesheet ) . '" class="load-customize hide-if-no-customize">'
. __( 'Live Preview' ) . '</a>';
if ( ! is_multisite() && current_user_can( 'delete_themes' ) )
$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&amp;template=$stylesheet", 'delete-theme_' . $stylesheet )
$actions['delete'] = '<a class="submitdelete deletion" href="' . wp_nonce_url( "themes.php?action=delete&amp;stylesheet=$stylesheet", 'delete-theme_' . $stylesheet )
. '" onclick="' . "return confirm( '" . esc_js( sprintf( __( "You are about to delete this theme '%s'\n 'Cancel' to stop, 'OK' to delete." ), $title ) )
. "' );" . '">' . __( 'Delete' ) . '</a>';

View File

@@ -11,19 +11,19 @@
*
* @since 2.8.0
*
* @param string $template Template directory of the theme to delete
* @param string $stylesheet Stylesheet of the theme to delete
* @param string $redirect Redirect to page when complete.
* @return mixed
*/
function delete_theme($template, $redirect = '') {
function delete_theme($stylesheet, $redirect = '') {
global $wp_filesystem;
if ( empty($template) )
if ( empty($stylesheet) )
return false;
ob_start();
if ( empty( $redirect ) )
$redirect = wp_nonce_url('themes.php?action=delete&template=' . $template, 'delete-theme_' . $template);
$redirect = wp_nonce_url('themes.php?action=delete&stylesheet=' . $stylesheet, 'delete-theme_' . $stylesheet);
if ( false === ($credentials = request_filesystem_credentials($redirect)) ) {
$data = ob_get_contents();
ob_end_clean();
@@ -61,11 +61,11 @@ function delete_theme($template, $redirect = '') {
return new WP_Error('fs_no_themes_dir', __('Unable to locate WordPress theme directory.'));
$themes_dir = trailingslashit( $themes_dir );
$theme_dir = trailingslashit($themes_dir . $template);
$theme_dir = trailingslashit($themes_dir . $stylesheet);
$deleted = $wp_filesystem->delete($theme_dir, true);
if ( ! $deleted )
return new WP_Error('could_not_remove_theme', sprintf(__('Could not fully remove the theme %s.'), $template) );
return new WP_Error('could_not_remove_theme', sprintf(__('Could not fully remove the theme %s.'), $stylesheet) );
// Force refresh of theme update information
delete_site_transient('update_themes');