Plugins: Move capability checks further up in wp_ajax_update_plugin() and wp_ajax_delete_plugin().

Add tests for both Ajax handlers.

Props Yorick Koster, swissspidy.
Fixes #37490.
Built from https://develop.svn.wordpress.org/trunk@38168


git-svn-id: http://core.svn.wordpress.org/trunk@38109 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Dominik Schilling 2016-07-27 17:44:41 +00:00
parent e4abc1ecbf
commit 3105764efd
4 changed files with 45 additions and 24 deletions

View File

@ -3653,28 +3653,29 @@ function wp_ajax_update_plugin() {
) );
}
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
$status = array(
'update' => 'plugin',
'plugin' => $plugin,
'slug' => sanitize_key( wp_unslash( $_POST['slug'] ) ),
'pluginName' => $plugin_data['Name'],
'oldVersion' => '',
'newVersion' => '',
);
if ( ! current_user_can( 'update_plugins' ) || 0 !== validate_file( $plugin ) ) {
$status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
wp_send_json_error( $status );
}
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
$status['plugin'] = $plugin;
$status['pluginName'] = $plugin_data['Name'];
if ( $plugin_data['Version'] ) {
/* translators: %s: Plugin version */
$status['oldVersion'] = sprintf( __( 'Version %s' ), $plugin_data['Version'] );
}
if ( ! current_user_can( 'update_plugins' ) ) {
$status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
wp_send_json_error( $status );
}
include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
wp_update_plugins();
@ -3748,24 +3749,29 @@ function wp_ajax_delete_plugin() {
check_ajax_referer( 'updates' );
if ( empty( $_POST['slug'] ) || empty( $_POST['plugin'] ) ) {
wp_send_json_error( array( 'errorCode' => 'no_plugin_specified' ) );
wp_send_json_error( array(
'slug' => '',
'errorCode' => 'no_plugin_specified',
'errorMessage' => __( 'No plugin specified.' ),
) );
}
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
$status = array(
'delete' => 'plugin',
'slug' => sanitize_key( wp_unslash( $_POST['slug'] ) ),
'plugin' => $plugin,
'pluginName' => $plugin_data['Name'],
'delete' => 'plugin',
'slug' => sanitize_key( wp_unslash( $_POST['slug'] ) ),
);
if ( ! current_user_can( 'delete_plugins' ) ) {
if ( ! current_user_can( 'delete_plugins' ) || 0 !== validate_file( $plugin ) ) {
$status['errorMessage'] = __( 'Sorry, you are not allowed to delete plugins for this site.' );
wp_send_json_error( $status );
}
$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
$status['plugin'] = $plugin;
$status['pluginName'] = $plugin_data['Name'];
if ( is_plugin_active( $plugin ) ) {
$status['errorMessage'] = __( 'You cannot delete a plugin while it is active on the main site.' );
wp_send_json_error( $status );

View File

@ -447,7 +447,11 @@
errorMessage = wp.updates.l10n.updateFailed.replace( '%s', response.errorMessage );
if ( 'plugins' === pagenow || 'plugins-network' === pagenow ) {
$message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
if ( response.plugin ) {
$message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
} else {
$message = $( 'tr[data-slug="' + response.slug + '"]' ).find( '.update-message' );
}
$message.removeClass( 'updating-message notice-warning' ).addClass( 'notice-error' ).find( 'p' ).html( errorMessage );
} else if ( 'plugin-install' === pagenow || 'plugin-install-network' === pagenow ) {
$card = $( '.plugin-card-' + response.slug )
@ -458,9 +462,13 @@
} ) );
$card.find( '.update-now' )
.attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) )
.text( wp.updates.l10n.updateFailedShort ).removeClass( 'updating-message' );
if ( response.pluginName ) {
$card.find( '.update-now' )
.attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) );
}
$card.on( 'click', '.notice.is-dismissible .notice-dismiss', function() {
// Use same delay as the total duration of the notice fadeTo + slideUp animation.
@ -814,14 +822,21 @@
* @param {string} response.errorMessage The error that occurred.
*/
wp.updates.deletePluginError = function( response ) {
var $plugin = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' ),
var $plugin, $pluginUpdateRow,
pluginUpdateRow = wp.template( 'item-update-row' ),
$pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' ),
noticeContent = wp.updates.adminNotice( {
className: 'update-message notice-error notice-alt',
message: response.errorMessage
} );
if ( response.plugin ) {
$plugin = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' );
$pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' );
} else {
$plugin = $( 'tr.inactive[data-slug="' + response.slug + '"]' );
$pluginUpdateRow = $plugin.siblings( '[data-slug="' + response.slug + '"]' );
}
if ( ! wp.updates.isValidResponse( response, 'delete' ) ) {
return;
}
@ -835,7 +850,7 @@
$plugin.addClass( 'update' ).after(
pluginUpdateRow( {
slug: response.slug,
plugin: response.plugin,
plugin: response.plugin || response.slug,
colspan: $( '#bulk-action-form' ).find( 'thead th:not(.hidden), thead td' ).length,
content: noticeContent
} )

File diff suppressed because one or more lines are too long

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.6-beta4-38167';
$wp_version = '4.6-beta4-38168';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.