From a8890b9160a82be7233ec1317ef16abaf68e00ff Mon Sep 17 00:00:00 2001 From: ryan Date: Sat, 1 Aug 2009 21:12:17 +0000 Subject: [PATCH] Add some CYA cap checks. git-svn-id: http://svn.automattic.com/wordpress/trunk@11761 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/options-discussion.php | 3 +++ wp-admin/options-general.php | 3 +++ wp-admin/options-media.php | 3 +++ wp-admin/options-misc.php | 3 +++ wp-admin/options-permalink.php | 3 +++ wp-admin/options-privacy.php | 3 +++ wp-admin/options-reading.php | 3 +++ wp-admin/options-writing.php | 3 +++ wp-admin/plugins.php | 18 ++++++++++++++++++ wp-admin/themes.php | 3 +++ wp-includes/vars.php | 1 + 11 files changed, 46 insertions(+) diff --git a/wp-admin/options-discussion.php b/wp-admin/options-discussion.php index b3baf56727..f6cc7747f2 100644 --- a/wp-admin/options-discussion.php +++ b/wp-admin/options-discussion.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('Discussion Settings'); $parent_file = 'options-general.php'; diff --git a/wp-admin/options-general.php b/wp-admin/options-general.php index 3f2588856b..def2124985 100644 --- a/wp-admin/options-general.php +++ b/wp-admin/options-general.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('./admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('General Settings'); $parent_file = 'options-general.php'; /* translators: date and time format for exact current time, mainly about timezones, see http://php.net/date */ diff --git a/wp-admin/options-media.php b/wp-admin/options-media.php index 6c97c0323c..e5abf4e56e 100644 --- a/wp-admin/options-media.php +++ b/wp-admin/options-media.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('Media Settings'); $parent_file = 'options-general.php'; diff --git a/wp-admin/options-misc.php b/wp-admin/options-misc.php index e63528103c..cc366a9fc8 100644 --- a/wp-admin/options-misc.php +++ b/wp-admin/options-misc.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('Miscellaneous Settings'); $parent_file = 'options-general.php'; diff --git a/wp-admin/options-permalink.php b/wp-admin/options-permalink.php index 4bff30a4cb..c06fa08c8a 100644 --- a/wp-admin/options-permalink.php +++ b/wp-admin/options-permalink.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('Permalink Settings'); $parent_file = 'options-general.php'; diff --git a/wp-admin/options-privacy.php b/wp-admin/options-privacy.php index b501a27cb2..009e943015 100644 --- a/wp-admin/options-privacy.php +++ b/wp-admin/options-privacy.php @@ -9,6 +9,9 @@ /** Load WordPress Administration Bootstrap */ require_once('./admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('Privacy Settings'); $parent_file = 'options-general.php'; diff --git a/wp-admin/options-reading.php b/wp-admin/options-reading.php index 64410c380d..dd3ba3be58 100644 --- a/wp-admin/options-reading.php +++ b/wp-admin/options-reading.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('Reading Settings'); $parent_file = 'options-general.php'; diff --git a/wp-admin/options-writing.php b/wp-admin/options-writing.php index 208aab4b93..a8979f4e17 100644 --- a/wp-admin/options-writing.php +++ b/wp-admin/options-writing.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( ! current_user_can('manage_options') ) + wp_die(__('You do not have sufficient permissions to manage options for this blog.')); + $title = __('Writing Settings'); $parent_file = 'options-general.php'; diff --git a/wp-admin/plugins.php b/wp-admin/plugins.php index 71afa15738..b17e4d527f 100644 --- a/wp-admin/plugins.php +++ b/wp-admin/plugins.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( ! current_user_can('activate_plugins') ) + wp_die(__('You do not have sufficient permissions to manage plugins for this blog.')); + if ( isset($_POST['clear-recent-list']) ) $action = 'clear-recent-list'; elseif ( !empty($_REQUEST['action']) ) @@ -37,6 +40,9 @@ $_SERVER['REQUEST_URI'] = remove_query_arg(array('error', 'deleted', 'activate', if ( !empty($action) ) { switch ( $action ) { case 'activate': + if ( ! current_user_can('activate_plugins') ) + wp_die(__('You do not have sufficient permissions to activate plugins for this blog.')); + check_admin_referer('activate-plugin_' . $plugin); $result = activate_plugin($plugin, 'plugins.php?error=true&plugin=' . $plugin); @@ -53,6 +59,9 @@ if ( !empty($action) ) { exit; break; case 'activate-selected': + if ( ! current_user_can('activate_plugins') ) + wp_die(__('You do not have sufficient permissions to activate plugins for this blog.')); + check_admin_referer('bulk-manage-plugins'); $plugins = (array) $_POST['checked']; @@ -75,6 +84,9 @@ if ( !empty($action) ) { exit; break; case 'error_scrape': + if ( ! current_user_can('activate_plugins') ) + wp_die(__('You do not have sufficient permissions to activate plugins for this blog.')); + check_admin_referer('plugin-activation-error_' . $plugin); $valid = validate_plugin($plugin); @@ -88,6 +100,9 @@ if ( !empty($action) ) { exit; break; case 'deactivate': + if ( ! current_user_can('activate_plugins') ) + wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.')); + check_admin_referer('deactivate-plugin_' . $plugin); deactivate_plugins($plugin); update_option('recently_activated', array($plugin => time()) + (array)get_option('recently_activated')); @@ -95,6 +110,9 @@ if ( !empty($action) ) { exit; break; case 'deactivate-selected': + if ( ! current_user_can('activate_plugins') ) + wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.')); + check_admin_referer('bulk-manage-plugins'); $plugins = (array) $_POST['checked']; diff --git a/wp-admin/themes.php b/wp-admin/themes.php index 358e9644b9..63adc450f0 100644 --- a/wp-admin/themes.php +++ b/wp-admin/themes.php @@ -9,6 +9,9 @@ /** WordPress Administration Bootstrap */ require_once('admin.php'); +if ( !current_user_can('switch_themes') ) + wp_die( __( 'Cheatin’ uh?' ) ); + if ( isset($_GET['action']) ) { if ( 'activate' == $_GET['action'] ) { check_admin_referer('switch-theme_' . $_GET['template']); diff --git a/wp-includes/vars.php b/wp-includes/vars.php index 232385da64..b66b31311b 100644 --- a/wp-includes/vars.php +++ b/wp-includes/vars.php @@ -17,6 +17,7 @@ if ( is_admin() ) { // wp-admin pages are checked more carefully preg_match('#/wp-admin/?(.*?)$#i', $PHP_SELF, $self_matches); $pagenow = $self_matches[1]; + $pagenow = trim($pagenow, '/'); $pagenow = preg_replace('#\?.*?$#', '', $pagenow); if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) { $pagenow = 'index.php';