vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 14:20:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Theme Customizer: Block non-existent or non-allowed themes, unless the non-allowed theme is the active theme. Support a user having edit_theme_options xor switch_themes. fixes #20852.

Browse Source 
git-svn-id: https://develop.svn.wordpress.org/trunk@21010 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin
2012-06-06 20:34:24 +00:00
parent 8f4c41a2dd
commit 7996c82427
7 changed files with 67 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
wp-includes/class-wp-customize-manager.php
View File

@@ -78,11 +78,22 @@ final class WP_Customize_Manager {
* @since 3.4.0
*/
public function setup_theme() {
if ( ! ( isset( $_REQUEST['customize'] ) && 'on' == $_REQUEST['customize'] ) && ! basename( $_SERVER['PHP_SELF'] ) == 'customize.php' )
return;
send_origin_headers();
$this->original_stylesheet = get_stylesheet();
$this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
// You can't preview a theme if it doesn't exist, or if it is not allowed (unless active).
if ( ! $this->theme->exists() )
wp_die( __( 'Cheatin’ uh?' ) );
if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) )
wp_die( __( 'Cheatin’ uh?' ) );
if ( ! current_user_can( 'edit_theme_options' ) )
wp_die( __( 'Cheatin’ uh?' ) );
$this->start_previewing_theme();
show_admin_bar( false );
}
@@ -95,20 +106,10 @@ final class WP_Customize_Manager {
* @since 3.4.0
*/
public function start_previewing_theme() {
if ( $this->is_preview() || false === $this->theme || ( $this->theme && ! $this->theme->exists() ) )
// Bail if we're already previewing.
if ( $this->is_preview() )
return;
// Initialize $theme and $original_stylesheet if they do not yet exist.
if ( ! isset( $this->theme ) ) {
$this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null );
if ( ! $this->theme->exists() ) {
$this->theme = false;
return;
}
}
$this->original_stylesheet = get_stylesheet();
$this->previewing = true;
add_filter( 'template', array( $this, 'get_template' ) );
@@ -419,13 +420,10 @@ final class WP_Customize_Manager {
if ( ! $this->is_preview() )
die;
check_ajax_referer( 'customize_controls', 'nonce' );
check_ajax_referer( 'customize_controls-' . $this->get_stylesheet(), 'nonce' );
// Do we have to switch themes?
if ( $this->get_stylesheet() != $this->original_stylesheet ) {
if ( ! current_user_can( 'switch_themes' ) )
die;
// Temporarily stop previewing the theme to allow switch_themes()
// to operate properly.
$this->stop_previewing_theme();

3
wp-includes/js/customize-loader.dev.js
View File

@@ -17,12 +17,9 @@ if ( typeof wp === 'undefined' )
// Ensure the loader is supported.
// Check for settings, postMessage support, and whether we require CORS support.
if ( ! Loader.settings || ! $.support.postMessage || ( ! $.support.cors && Loader.settings.isCrossDomain ) ) {
this.body.removeClass( 'customize-support' ).addClass( 'no-customize-support' );
return;
}
this.body.removeClass( 'no-customize-support' ).addClass( 'customize-support' );
this.window = $( window );
this.element = $( '<div id="customize-container" />' ).appendTo( this.body );