Introduce upload_plugins and upload_themes capabilities to allow blocking of plugin and theme uploads, versus the old hacky (and not secure) ways of just hiding UI tabs. These are simply meta capabilities that map to install_plugins and install_themes.
Also:
* Use the same nice design for the plugin upload screen as the theme upload screen.
* Better compatibility for the old install_themes_tabs filter added in [29002]. see #28578.
* Ensure using the install_plugins_tabs filter to remove the upload tab removes the new button.
* Use 'Add Plugins' instead of 'Install Plugins' to match 'Add Themes'.
fixes#29236.
git-svn-id: https://develop.svn.wordpress.org/trunk@29634 602fd350-edb4-49c9-b593-d223f7449a82
You can now allow users to access the Customizer, say for any user who can `edit_posts`, via `map_meta_cap` or `user_has_cap` filter. See ticket for examples.
props westonruter, nacin.
fixes#28605.
git-svn-id: https://develop.svn.wordpress.org/trunk@29170 602fd350-edb4-49c9-b593-d223f7449a82
Add `public` to methods/members of `WP_Role`.
Add `public` to methods/members of `WP_User` where appropriate. Don't set `private` where indicated until more study has occurred and tests have been written for compatibiliy with existing magic methods.
See #27881, #22234.
git-svn-id: https://develop.svn.wordpress.org/trunk@28531 602fd350-edb4-49c9-b593-d223f7449a82
Undoes [12053]. While it risks breakage, this is a far safer and saner default for these situations.
props danielbachhuber.
fixes#27020.
git-svn-id: https://develop.svn.wordpress.org/trunk@27390 602fd350-edb4-49c9-b593-d223f7449a82
* `wp_ajax_get_comments()` relies on the `$post_id` global - even though `$_POST['p']` is passed to every action in the test methods. If `$post_id` is still lingering in between tests and doesn't match `p` in the request, the cap check might pass while the queries for comments will blow up. I added `unset( $GLOBALS['post_id'] )` to `Tests_Ajax_GetComments::setUp()`.
* If the global `$post_id` is empty, but `$_REQUEST['p']` is not, `$post_id` is now set to `absint( $_REQUEST['p'] )` and sanity-checked in `wp_ajax_get_comments()`.
* `map_meta_cap()` always assumes that `get_comment()` succeeds when checking for the `edit_comment` cap. It doesn't. I added sanity checks in a few places where it will break early if `get_post()` or `get_comment()` are empty.
* `wp_update_comment()` always assumes `get_comment()` succeeds. It doesn't. I added a check for empty.
All AJAX unit tests run and pass in debug mode. All general unit tests pass against these changes.
Fixes#25282.
git-svn-id: https://develop.svn.wordpress.org/trunk@25438 602fd350-edb4-49c9-b593-d223f7449a82
* All WordPress files move to a src/ directory.
* New task runner (Grunt), configured to copy a built WordPress to build/.
* svn:ignore and .gitignore for Gruntfile.js, wp-config.php, and node.js.
* Remove Akismet external from develop.svn. Still exists in core.svn.
* Drop minified files from src/. The build process will now generate these.
props koop.
see #24976.
and see http://wp.me/p2AvED-1AI.
git-svn-id: https://develop.svn.wordpress.org/trunk@25001 602fd350-edb4-49c9-b593-d223f7449a82
