Add some CYA cap checks.

git-svn-id: http://svn.automattic.com/wordpress/trunk@11761 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2009-08-01 21:12:17 +00:00
parent a431376de5
commit a8890b9160
11 changed files with 46 additions and 0 deletions

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('Discussion Settings');
$parent_file = 'options-general.php';

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('./admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('General Settings');
$parent_file = 'options-general.php';
/* translators: date and time format for exact current time, mainly about timezones, see http://php.net/date */

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('Media Settings');
$parent_file = 'options-general.php';

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('Miscellaneous Settings');
$parent_file = 'options-general.php';

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('Permalink Settings');
$parent_file = 'options-general.php';

View File

@ -9,6 +9,9 @@
/** Load WordPress Administration Bootstrap */
require_once('./admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('Privacy Settings');
$parent_file = 'options-general.php';

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('Reading Settings');
$parent_file = 'options-general.php';

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( ! current_user_can('manage_options') )
wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
$title = __('Writing Settings');
$parent_file = 'options-general.php';

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( ! current_user_can('activate_plugins') )
wp_die(__('You do not have sufficient permissions to manage plugins for this blog.'));
if ( isset($_POST['clear-recent-list']) )
$action = 'clear-recent-list';
elseif ( !empty($_REQUEST['action']) )
@ -37,6 +40,9 @@ $_SERVER['REQUEST_URI'] = remove_query_arg(array('error', 'deleted', 'activate',
if ( !empty($action) ) {
switch ( $action ) {
case 'activate':
if ( ! current_user_can('activate_plugins') )
wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
check_admin_referer('activate-plugin_' . $plugin);
$result = activate_plugin($plugin, 'plugins.php?error=true&plugin=' . $plugin);
@ -53,6 +59,9 @@ if ( !empty($action) ) {
exit;
break;
case 'activate-selected':
if ( ! current_user_can('activate_plugins') )
wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
check_admin_referer('bulk-manage-plugins');
$plugins = (array) $_POST['checked'];
@ -75,6 +84,9 @@ if ( !empty($action) ) {
exit;
break;
case 'error_scrape':
if ( ! current_user_can('activate_plugins') )
wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
check_admin_referer('plugin-activation-error_' . $plugin);
$valid = validate_plugin($plugin);
@ -88,6 +100,9 @@ if ( !empty($action) ) {
exit;
break;
case 'deactivate':
if ( ! current_user_can('activate_plugins') )
wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
check_admin_referer('deactivate-plugin_' . $plugin);
deactivate_plugins($plugin);
update_option('recently_activated', array($plugin => time()) + (array)get_option('recently_activated'));
@ -95,6 +110,9 @@ if ( !empty($action) ) {
exit;
break;
case 'deactivate-selected':
if ( ! current_user_can('activate_plugins') )
wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
check_admin_referer('bulk-manage-plugins');
$plugins = (array) $_POST['checked'];

View File

@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
if ( !current_user_can('switch_themes') )
wp_die( __( 'Cheatin’ uh?' ) );
if ( isset($_GET['action']) ) {
if ( 'activate' == $_GET['action'] ) {
check_admin_referer('switch-theme_' . $_GET['template']);

View File

@ -17,6 +17,7 @@ if ( is_admin() ) {
// wp-admin pages are checked more carefully
preg_match('#/wp-admin/?(.*?)$#i', $PHP_SELF, $self_matches);
$pagenow = $self_matches[1];
$pagenow = trim($pagenow, '/');
$pagenow = preg_replace('#\?.*?$#', '', $pagenow);
if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) {
$pagenow = 'index.php';