Plugins: Move capability checks further up in `wp_ajax_update_plugin()` and `wp_ajax_delete_plugin()`.

Add tests for both Ajax handlers. Props Yorick Koster, swissspidy. Fixes #37490. Built from https://develop.svn.wordpress.org/trunk@38168 git-svn-id: http://core.svn.wordpress.org/trunk@38109 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-07-27 17:44:41 +00:00 · 2016-07-27 17:44:41 +00:00 · 3105764efd
parent e4abc1ecbf
commit 3105764efd
4 changed files with 45 additions and 24 deletions
--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@ -3653,28 +3653,29 @@ function wp_ajax_update_plugin() {
 		) );
 	}

-	$plugin      = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
-	$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+	$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );

 	$status = array(
 		'update'     => 'plugin',
-		'plugin'     => $plugin,
 		'slug'       => sanitize_key( wp_unslash( $_POST['slug'] ) ),
-		'pluginName' => $plugin_data['Name'],
 		'oldVersion' => '',
 		'newVersion' => '',
 	);

+	if ( ! current_user_can( 'update_plugins' ) || 0 !== validate_file( $plugin ) ) {
+		$status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
+		wp_send_json_error( $status );
+	}
+
+	$plugin_data          = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+	$status['plugin']     = $plugin;
+	$status['pluginName'] = $plugin_data['Name'];
+
 	if ( $plugin_data['Version'] ) {
 		/* translators: %s: Plugin version */
 		$status['oldVersion'] = sprintf( __( 'Version %s' ), $plugin_data['Version'] );
 	}

-	if ( ! current_user_can( 'update_plugins' ) ) {
-		$status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
-		wp_send_json_error( $status );
-	}
-
 	include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';

 	wp_update_plugins();
@ -3748,24 +3749,29 @@ function wp_ajax_delete_plugin() {
 	check_ajax_referer( 'updates' );

 	if ( empty( $_POST['slug'] ) || empty( $_POST['plugin'] ) ) {
-		wp_send_json_error( array( 'errorCode' => 'no_plugin_specified' ) );
+		wp_send_json_error( array(
+			'slug'         => '',
+			'errorCode'    => 'no_plugin_specified',
+			'errorMessage' => __( 'No plugin specified.' ),
+		) );
 	}

-	$plugin      = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );
-	$plugin_data = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+	$plugin = plugin_basename( sanitize_text_field( wp_unslash( $_POST['plugin'] ) ) );

 	$status = array(
-		'delete'     => 'plugin',
-		'slug'       => sanitize_key( wp_unslash( $_POST['slug'] ) ),
-		'plugin'     => $plugin,
-		'pluginName' => $plugin_data['Name'],
+		'delete' => 'plugin',
+		'slug'   => sanitize_key( wp_unslash( $_POST['slug'] ) ),
 	);

-	if ( ! current_user_can( 'delete_plugins' ) ) {
+	if ( ! current_user_can( 'delete_plugins' ) || 0 !== validate_file( $plugin ) ) {
 		$status['errorMessage'] = __( 'Sorry, you are not allowed to delete plugins for this site.' );
 		wp_send_json_error( $status );
 	}

+	$plugin_data          = get_plugin_data( WP_PLUGIN_DIR . '/' . $plugin );
+	$status['plugin']     = $plugin;
+	$status['pluginName'] = $plugin_data['Name'];
+
 	if ( is_plugin_active( $plugin ) ) {
 		$status['errorMessage'] = __( 'You cannot delete a plugin while it is active on the main site.' );
 		wp_send_json_error( $status );
--- a/wp-admin/js/updates.js
+++ b/wp-admin/js/updates.js
@ -447,7 +447,11 @@
 		errorMessage = wp.updates.l10n.updateFailed.replace( '%s', response.errorMessage );

 		if ( 'plugins' === pagenow || 'plugins-network' === pagenow ) {
-			$message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
+			if ( response.plugin ) {
+				$message = $( 'tr[data-plugin="' + response.plugin + '"]' ).find( '.update-message' );
+			} else {
+				$message = $( 'tr[data-slug="' + response.slug + '"]' ).find( '.update-message' );
+			}
 			$message.removeClass( 'updating-message notice-warning' ).addClass( 'notice-error' ).find( 'p' ).html( errorMessage );
 		} else if ( 'plugin-install' === pagenow || 'plugin-install-network' === pagenow ) {
 			$card = $( '.plugin-card-' + response.slug )
@ -458,9 +462,13 @@
 				} ) );

 			$card.find( '.update-now' )
-				.attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) )
 				.text( wp.updates.l10n.updateFailedShort ).removeClass( 'updating-message' );

+			if ( response.pluginName ) {
+				$card.find( '.update-now' )
+					.attr( 'aria-label', wp.updates.l10n.updateFailedLabel.replace( '%s', response.pluginName ) );
+			}
+
 			$card.on( 'click', '.notice.is-dismissible .notice-dismiss', function() {

 				// Use same delay as the total duration of the notice fadeTo + slideUp animation.
@ -814,14 +822,21 @@
 	 * @param {string}  response.errorMessage The error that occurred.
 	 */
 	wp.updates.deletePluginError = function( response ) {
-		var $plugin          = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' ),
+		var $plugin, $pluginUpdateRow,
 			pluginUpdateRow  = wp.template( 'item-update-row' ),
-			$pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' ),
 			noticeContent    = wp.updates.adminNotice( {
 				className: 'update-message notice-error notice-alt',
 				message:   response.errorMessage
 			} );

+		if ( response.plugin ) {
+			$plugin          = $( 'tr.inactive[data-plugin="' + response.plugin + '"]' );
+			$pluginUpdateRow = $plugin.siblings( '[data-plugin="' + response.plugin + '"]' );
+		} else {
+			$plugin          = $( 'tr.inactive[data-slug="' + response.slug + '"]' );
+			$pluginUpdateRow = $plugin.siblings( '[data-slug="' + response.slug + '"]' );
+		}
+
 		if ( ! wp.updates.isValidResponse( response, 'delete' ) ) {
 			return;
 		}
@ -835,7 +850,7 @@
 			$plugin.addClass( 'update' ).after(
 				pluginUpdateRow( {
 					slug:    response.slug,
-					plugin:  response.plugin,
+					plugin:  response.plugin || response.slug,
 					colspan: $( '#bulk-action-form' ).find( 'thead th:not(.hidden), thead td' ).length,
 					content: noticeContent
 				} )
--- a/wp-admin/js/updates.min.js
+++ b/wp-admin/js/updates.min.js
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.6-beta4-38167';
+$wp_version = '4.6-beta4-38168';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.