Commit Graph

27 Commits

Author SHA1 Message Date
Pascal Birchler d2fb0bd81e General: Remove any usage of `wp_reset_vars()`.
The way `wp_reset_vars()` sets global variables based on `$_POST` and `$_GET` values makes code hard to understand and maintain. It also makes it easy to forget to sanitize input.

This change removes the few places where `wp_reset_vars()` is used in the admin to explicitly use `$_REQUEST` and sanitize any input.

Props swissspidy, audrasjb, davideferre, killua99, weijland, voldemortensen.
Fixes #38073.
Built from https://develop.svn.wordpress.org/trunk@58069


git-svn-id: http://core.svn.wordpress.org/trunk@57534 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-05-01 18:01:12 +00:00
Sergey Biryukov f891f6f0c6 Administration: Require a valid action parameter to be set for `admin-ajax.php` requests.
This avoids `Array to string conversion` PHP notices when an array is passed as the `action` parameter.

Additionally, send an appropriate HTTP response status code when an invalid action is passed to `admin-post.php`.

Follow-up to [13175], [19738], [41120], [41926].

Props dd32.
Fixes #55212.
Built from https://develop.svn.wordpress.org/trunk@52813


git-svn-id: http://core.svn.wordpress.org/trunk@52402 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-03-02 15:00:11 +00:00
Sergey Biryukov 47ed56f38f Code Modernization: Replace `dirname( __FILE__ )` calls with `__DIR__` magic constant.
This avoids the performance overhead of the function call every time `dirname( __FILE__ )` was used instead of `__DIR__`.

This commit also includes:

* Removing unnecessary parentheses from `include`/`require` statements. These are language constructs, not function calls.
* Replacing `include` statements for several files with `require_once`, for consistency:
 * `wp-admin/admin-header.php`
 * `wp-admin/admin-footer.php`
 * `wp-includes/version.php`

Props ayeshrajans, desrosj, valentinbora, jrf, joostdevalk, netweb.
Fixes #48082.
Built from https://develop.svn.wordpress.org/trunk@47198


git-svn-id: http://core.svn.wordpress.org/trunk@46998 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-02-06 06:33:11 +00:00
Gary Pendergast 4fa5437fc1 Admin: Use `is_user_logged_in()` instead of `wp_validate_auth_cookie()` in `admin-post.php`.
This matches the authentication check in `admin-ajax.php`, and allows the authentication method to be filtered.

Props jmdodd.
Fixes #45475.


Built from https://develop.svn.wordpress.org/trunk@44615


git-svn-id: http://core.svn.wordpress.org/trunk@44446 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2019-01-16 05:41:50 +00:00
Drew Jaynes 92aa2f9e92 Docs: Fix a few minor inline documentation typos in a variety of files and contexts.
Props ramizmanked.
Fixes #45463.

Built from https://develop.svn.wordpress.org/trunk@44331


git-svn-id: http://core.svn.wordpress.org/trunk@44161 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2018-12-19 07:42:49 +00:00
Gary Pendergast aaf99e6913 Code is Poetry.
WordPress' code just... wasn't.
This is now dealt with.

Props jrf, pento, netweb, GaryJ, jdgrimes, westonruter, Greg Sherwood from PHPCS, and everyone who's ever contributed to WPCS and PHPCS.
Fixes #41057.


Built from https://develop.svn.wordpress.org/trunk@42343


git-svn-id: http://core.svn.wordpress.org/trunk@42172 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-11-30 23:11:00 +00:00
Dominik Schilling e5ea82d81a Spelling: Standardize on "front end"/"back end" (noun) and "front-end"/"back-end" (adjective).
Props obrienlabs, thewanderingbrit.
Fixes #34887.
Built from https://develop.svn.wordpress.org/trunk@36709


git-svn-id: http://core.svn.wordpress.org/trunk@36676 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-02-25 12:53:27 +00:00
Helen Hou-Sandí 48befcf361 Superglobals: Revert [34059] until further notice.
see #33837.

Built from https://develop.svn.wordpress.org/trunk@34265


git-svn-id: http://core.svn.wordpress.org/trunk@34229 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-17 12:33:26 +00:00
Scott Taylor cd7c0f0b0d Introduce `wp_validate_action( $action = '' )`, a helper function that checks `$_REQUEST` for `action` and returns it, or empty string if not present. If `$action` is passed, it checks to make sure they match before returning it, or an empty string. Strings are always returned to avoid returning multiple types.
Implementing this removes 27 uses of direct superglobal access in the admin.

For more reading:
https://codeclimate.com/github/WordPress/WordPress/wp-admin/edit-comments.php

See #33837.

Built from https://develop.svn.wordpress.org/trunk@34059


git-svn-id: http://core.svn.wordpress.org/trunk@34027 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2015-09-11 21:08:26 +00:00
Drew Jaynes 2faf449f51 Docs Formatting: Backtick-escape inline code for all dynamic hook docs in wp-admin/*.
Also includes some changes to move hook docs to directly precede hook lines. This is necessary to prevent DocBlock-matching confusion when core is parsed.

Affects DocBlocks for the following hooks:
* `wp_ajax_ . $_REQUEST['action']`
* `wp_ajax_nopriv_ . $_REQUEST['action']`
* `admin_footer- . $GLOBALS['hook_suffix']`
* `admin_head-$hook_suffix`
* `admin_post_nopriv_{$action}`
* `admin_post_{$action}`
* `load-  . $page_hook`
* `load- . $plugin_page`
* `load-importer- . $importer`
* `load- . $pagenow`
* `admin_action_ . $_REQUEST['action']`
* `async_upload_{$type}`
* `add_meta_boxes_ . $post_type`
* `{$taxonomy}_pre_edit_form`
* `{$taxonomy}_term_edit_form_tag`
* `{$taxonomy}_edit_form_fields`
* `{$taxonomy}_edit_form`
* `after-{$taxonomy}-table`
* `{$taxonomy}_pre_add_form`
* `{$taxonomy}_term_new_form_tag`
* `{$taxonomy}_add_form_fields`
* `{$taxonomy}_add_form`
* `media_upload_$type`
* `media_upload_$tab`
* `install_plugins_pre_$tab`
* `install_plugins_$tab`
* `install_themes_pre_{$tab}`
* `install_themes_{$tab}`
* `update-core-custom_{$action}`
* `update-custom_{$action}`
* `user_{$name}_label`

See #30552.

Built from https://develop.svn.wordpress.org/trunk@30649


git-svn-id: http://core.svn.wordpress.org/trunk@30639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-11-30 11:42:24 +00:00
Scott Taylor 112ca4e055 Because the `WP_ADMIN` constant name can be bound in multiple files, all instances should check `! defined` first. `wp-admin/admin.php` already has this check.
See #27881.

Built from https://develop.svn.wordpress.org/trunk@28478


git-svn-id: http://core.svn.wordpress.org/trunk@28305 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-18 20:42:16 +00:00
Drew Jaynes a23cc5634f Properly split and document the `admin_post*` actions into the following four hooks:
* `admin_post_nopriv` – for logged-out requests lacking a supplied action
* `admin_post_nopriv_$action – for logged-out requests with a supplied action
* `admin_post` – for logged-in requests lacking a supplied action
* `admin_post_$action` – for logged-in requests with a supplied action

See [28349], [28350], [28351].
See #26869.

Built from https://develop.svn.wordpress.org/trunk@28394


git-svn-id: http://core.svn.wordpress.org/trunk@28222 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-13 07:24:15 +00:00
Drew Jaynes c02696f43f Rename the `$action` hook in wp-admin/admin-post.php to `admin_post{$action}`.
Also, clarify documentation of priv vs nopriv prefixing of the hook name.

See #26869.

Built from https://develop.svn.wordpress.org/trunk@28351


git-svn-id: http://core.svn.wordpress.org/trunk@28179 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-08 11:00:15 +00:00
Drew Jaynes f427187fa8 Revert [28349] in favor of retaining the single dynamic `admin_post*` hook.
See #26869.

Built from https://develop.svn.wordpress.org/trunk@28350


git-svn-id: http://core.svn.wordpress.org/trunk@28178 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-08 10:47:15 +00:00
Drew Jaynes a6755201d8 Convert and rename the `$action` hook in wp-admin/admin-post to two dynamic hook sets.
* `admin_post_nopriv{$request_action}` is fired for logged-out users
* `admin_post{$request_action}` is fired for logged-in users

Props Otto42, DrewAPicture.
See #26869.

Built from https://develop.svn.wordpress.org/trunk@28349


git-svn-id: http://core.svn.wordpress.org/trunk@28177 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2014-05-08 10:27:14 +00:00
Andrew Nacin 5361a8abca Spell out duplicate hook locations.
props DrewAPicture.
fixes #25658.

Built from https://develop.svn.wordpress.org/trunk@25868


git-svn-id: http://core.svn.wordpress.org/trunk@25868 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:59:20 +00:00
Andrew Nacin 8ae8e01b67 Remove the old wp_auto_updates_maybe_update cron event. Schedule the new wp_maybe_auto_update event at 7 a.m. and 7 p.m. in the site's timezone.
see #27704.

Built from https://develop.svn.wordpress.org/trunk@25825


git-svn-id: http://core.svn.wordpress.org/trunk@25825 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-24 22:53:14 +00:00
Andrew Nacin 74488bdcb0 Spell out duplicate hook locations.
props DrewAPicture.
fixes #25658.

Built from https://develop.svn.wordpress.org/trunk@25868


git-svn-id: http://core.svn.wordpress.org/trunk@25780 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-10-22 17:22:11 +00:00
Andrew Nacin fd57b239d2 Don't rely on include_path to include files.
Always use dirname() or, once available, ABSPATH.

props ketwaroo, hakre.
fixes #17092.

Built from https://develop.svn.wordpress.org/trunk@25616


git-svn-id: http://core.svn.wordpress.org/trunk@25533 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-25 00:18:11 +00:00
Drew Jaynes 774260c539 Inline documentation for hooks in wp-admin/admin-post.php.
Props ericlewis, kpdesign.
Fixes #25361.

Built from https://develop.svn.wordpress.org/trunk@25589


git-svn-id: http://core.svn.wordpress.org/trunk@25506 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-23 23:48:09 +00:00
Drew Jaynes f7546cb45a Improve file header and description in wp-admin/admin-post.php.
Props ericlewis.
Fixes #25362.

Built from https://develop.svn.wordpress.org/trunk@25561


git-svn-id: http://core.svn.wordpress.org/trunk@25479 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-09-22 05:18:09 +00:00
Andrew Nacin d5c4413aaa send_origin_headers() in admin-post.php.
props nickdaugherty, fixes #24600.


Built from https://develop.svn.wordpress.org/trunk@25036


git-svn-id: http://core.svn.wordpress.org/trunk@25023 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2013-08-16 19:59:08 +00:00
ryan e3b46b25d3 Lose EOF ?>. Clean up EOF newlines. fixes #12307
git-svn-id: http://svn.automattic.com/wordpress/trunk@19712 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-01-08 17:01:11 +00:00
nacin 9cb6e158fc Switch from Panel/SubPanel to Screen in inline documentation and Codex links. props michaelh, fixes #17265.
git-svn-id: http://svn.automattic.com/wordpress/trunk@17748 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2011-04-28 15:24:49 +00:00
ryan 33de670823 Fire nopriv actions from post and ajax handlers when user is not logged in.
git-svn-id: http://svn.automattic.com/wordpress/trunk@10720 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2009-03-05 21:43:35 +00:00
ryan 175c2b6fb1 WP-Admin File Level Inline Documentation from santosj. see #7496
git-svn-id: http://svn.automattic.com/wordpress/trunk@8618 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-08-11 20:26:31 +00:00
ryan ecd98d1aff Generic POST handler. see #7283
git-svn-id: http://svn.automattic.com/wordpress/trunk@8315 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2008-07-11 20:24:35 +00:00