Plugins: Move capability checks further up in `wp_ajax_update_plugin()` and `wp_ajax_delete_plugin()`.
Add tests for both Ajax handlers. Props Yorick Koster, swissspidy. Fixes #37490. Built from https://develop.svn.wordpress.org/trunk@38168 git-svn-id: http://core.svn.wordpress.org/trunk@38109 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Dominik Schilling
parent
e4abc1ecbf
commit
3105764efd
|
|
@ -3653,28 +3653,29 @@ function wp_ajax_update_plugin() {
|
|||
) );
|
||||
}
|
||||
|
||||
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
|
||||
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
|
||||
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
|
||||
|
||||
$status = array(
|
||||
'update' => 'plugin',
|
||||
'plugin' => $plugin,
|
||||
'slug' => sanitize_key( wp_unslash( $_POST['slug'] ) ),
|
||||
'pluginName' => $plugin_data['Name'],
|
||||
'oldVersion' => '',
|
||||
'newVersion' => '',
|
||||
);
|
||||
|
||||
if ( ! current_user_can( 'update_plugins' ) || 0 !== validate_file( $plugin ) ) {
|
||||
$status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
|
||||
wp_send_json_error( $status );
|
||||
}
|
||||
|
||||
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
|
||||
$status['plugin'] = $plugin;
|
||||
$status['pluginName'] = $plugin_data['Name'];
|
||||
|
||||
if ( $plugin_data['Version'] ) {
|
||||
/* translators: %s: Plugin version */
|
||||
$status['oldVersion'] = sprintf( __( 'Version %s' ), $plugin_data['Version'] );
|
||||
}
|
||||
|
||||
if ( ! current_user_can( 'update_plugins' ) ) {
|
||||
$status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
|
||||
wp_send_json_error( $status );
|
||||
}
|
||||
|
||||
include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
|
||||
|
||||
wp_update_plugins();
|
||||
|
|
@ -3748,24 +3749,29 @@ function wp_ajax_delete_plugin() {
|
|||
check_ajax_referer( 'updates' );
|
||||
|
||||
if ( empty( $_POST['slug'] ) || empty( $_POST['plugin'] ) ) {
|
||||
wp_send_json_error( array( 'errorCode' => 'no_plugin_specified' ) );
|
||||
wp_send_json_error( array(
|
||||
'slug' => '',
|
||||
'errorCode' => 'no_plugin_specified',
|
||||
'errorMessage' => __( 'No plugin specified.' ),
|
||||
) );
|
||||
}
|
||||
|
||||
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
|
||||
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
|
||||
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
|
||||
|
||||
$status = array(
|
||||
'delete' => 'plugin',
|
||||
'slug' => sanitize_key( wp_unslash( $_POST['slug'] ) ),
|
||||
'plugin' => $plugin,
|
||||
'pluginName' => $plugin_data['Name'],
|
||||
'delete' => 'plugin',
|
||||
'slug' => sanitize_key( wp_unslash( $_POST['slug'] ) ),
|
||||
);
|
||||
|
||||
if ( ! current_user_can( 'delete_plugins' ) ) {
|
||||
if ( ! current_user_can( 'delete_plugins' ) || 0 !== validate_file( $plugin ) ) {
|
||||
$status['errorMessage'] = __( 'Sorry, you are not allowed to delete plugins for this site.' );
|
||||
wp_send_json_error( $status );
|
||||
}
|
||||
|
||||
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
|
||||
$status['plugin'] = $plugin;
|
||||
$status['pluginName'] = $plugin_data['Name'];
|
||||
|
||||
if ( is_plugin_active( $plugin ) ) {
|
||||
$status['errorMessage'] = __( 'You cannot delete a plugin while it is active on the main site.' );
|
||||
wp_send_json_error( $status );
|
||||
|
|
|
|||
|
|
@ -447,7 +447,11 @@
|
|||
errorMessage = wp.updates.l10n.updateFailed.replace( '%s', response.errorMessage );
|
||||
|
||||
if ( 'plugins' === pagenow || 'plugins-network' === pagenow ) {
|
||||
$message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
|
||||
if ( response.plugin ) {
|
||||
$message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
|
||||
} else {
|
||||
$message = $( 'tr[data-slug="' + response.slug + '"]' ).find( '.update-message' );
|
||||
}
|
||||
$message.removeClass( 'updating-message notice-warning' ).addClass( 'notice-error' ).find( 'p' ).html( errorMessage );
|
||||
} else if ( 'plugin-install' === pagenow || 'plugin-install-network' === pagenow ) {
|
||||
$card = $( '.plugin-card-' + response.slug )
|
||||
|
|
@ -458,9 +462,13 @@
|
|||
} ) );
|
||||
|
||||
$card.find( '.update-now' )
|
||||
.attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) )
|
||||
.text( wp.updates.l10n.updateFailedShort ).removeClass( 'updating-message' );
|
||||
|
||||
if ( response.pluginName ) {
|
||||
$card.find( '.update-now' )
|
||||
.attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) );
|
||||
}
|
||||
|
||||
$card.on( 'click', '.notice.is-dismissible .notice-dismiss', function() {
|
||||
|
||||
// Use same delay as the total duration of the notice fadeTo + slideUp animation.
|
||||
|
|
@ -814,14 +822,21 @@
|
|||
* @param {string} response.errorMessage The error that occurred.
|
||||
*/
|
||||
wp.updates.deletePluginError = function( response ) {
|
||||
var $plugin = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' ),
|
||||
var $plugin, $pluginUpdateRow,
|
||||
pluginUpdateRow = wp.template( 'item-update-row' ),
|
||||
$pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' ),
|
||||
noticeContent = wp.updates.adminNotice( {
|
||||
className: 'update-message notice-error notice-alt',
|
||||
message: response.errorMessage
|
||||
} );
|
||||
|
||||
if ( response.plugin ) {
|
||||
$plugin = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' );
|
||||
$pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' );
|
||||
} else {
|
||||
$plugin = $( 'tr.inactive[data-slug="' + response.slug + '"]' );
|
||||
$pluginUpdateRow = $plugin.siblings( '[data-slug="' + response.slug + '"]' );
|
||||
}
|
||||
|
||||
if ( ! wp.updates.isValidResponse( response, 'delete' ) ) {
|
||||
return;
|
||||
}
|
||||
|
|
@ -835,7 +850,7 @@
|
|||
$plugin.addClass( 'update' ).after(
|
||||
pluginUpdateRow( {
|
||||
slug: response.slug,
|
||||
plugin: response.plugin,
|
||||
plugin: response.plugin || response.slug,
|
||||
colspan: $( '#bulk-action-form' ).find( 'thead th:not(.hidden), thead td' ).length,
|
||||
content: noticeContent
|
||||
} )
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -4,7 +4,7 @@
|
|||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.6-beta4-38167';
|
||||
$wp_version = '4.6-beta4-38168';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
|
|
|||
Loading…
Reference in New Issue