From 9115435213949dc6687c7a7581dffd91b5139f3f Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Fri, 8 Jun 2012 19:22:11 +0000
Subject: [PATCH] Customizer: Gravefully handle cookie expipration. Prompt for
 log in in the preview. Props ocean90, koopersmith, nacin. fixes #20876

git-svn-id: http://core.svn.wordpress.org/trunk@21031 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/css/customize-controls.dev.css    | 21 ++++++
 wp-admin/customize.php                     |  6 ++
 wp-admin/js/customize-controls.dev.js      | 78 +++++++++++++++++++++-
 wp-includes/class-wp-customize-manager.php | 58 +++++++++++++---
 wp-includes/script-loader.php              |  1 +
 wp-login.php                               | 41 ++++++++++--
 6 files changed, 187 insertions(+), 18 deletions(-)

diff --git a/wp-admin/css/customize-controls.dev.css b/wp-admin/css/customize-controls.dev.css
index ba8f71de59..908caa2d8f 100644
--- a/wp-admin/css/customize-controls.dev.css
+++ b/wp-admin/css/customize-controls.dev.css
@@ -514,3 +514,24 @@ body {
 	-webkit-overflow-scrolling: touch;
 }
 
+/**
+ * Handle cheaters.
+ */
+body.cheatin {
+	min-width: 0;
+	background: #f9f9f9;
+	padding: 50px;
+}
+
+body.cheatin p {
+	max-width: 700px;
+	margin: 0 auto;
+	padding: 2em;
+	font-size: 14px;
+
+	background: #fff;
+	border: 1px solid #dfdfdf;
+
+	-webkit-border-radius: 3px;
+	border-radius:         3px;
+}
\ No newline at end of file
diff --git a/wp-admin/customize.php b/wp-admin/customize.php
index b631f9f515..d60c99330d 100644
--- a/wp-admin/customize.php
+++ b/wp-admin/customize.php
@@ -148,6 +148,11 @@ do_action( 'customize_controls_print_scripts' );
 		'TB_iframe'      => 'true'
 	), home_url( '/' ) );
 
+	$login_url = add_query_arg( array(
+		'interim-login' => 1,
+		'customize-login' => 1
+	), wp_login_url() );
+
 	$settings = array(
 		'theme'    => array(
 			'stylesheet' => $wp_customize->get_stylesheet(),
@@ -162,6 +167,7 @@ do_action( 'customize_controls_print_scripts' );
 			'isCrossDomain' => $cross_domain,
 			'fallback'      => $fallback_url,
 			'home'          => esc_url( home_url( '/' ) ),
+			'login'         => $login_url,
 		),
 		'browser'  => array(
 			'mobile' => wp_is_mobile(),
diff --git a/wp-admin/js/customize-controls.dev.js b/wp-admin/js/customize-controls.dev.js
index 4e54c1866c..a6af649b4f 100644
--- a/wp-admin/js/customize-controls.dev.js
+++ b/wp-admin/js/customize-controls.dev.js
@@ -334,6 +334,18 @@
 					return;
 				}
 
+				// Check if the user is not logged in.
+				if ( '0' === response ) {
+					deferred.rejectWith( self, [ 'logged out' ] );
+					return;
+				}
+
+				// Check for cheaters.
+				if ( '-1' === response ) {
+					deferred.rejectWith( self, [ 'cheatin' ] );
+					return;
+				}
+
 				// Check for a signature in the request.
 				index = response.lastIndexOf( signature );
 				if ( -1 === index || index < response.lastIndexOf('</html>') ) {
@@ -548,7 +560,52 @@
 			this.loading.fail( function( reason, location ) {
 				if ( 'redirect' === reason && location )
 					self.url( location );
+
+				if ( 'logged out' === reason ) {
+					if ( self.iframe ) {
+						self.iframe.destroy();
+						delete self.iframe;
+					}
+
+					self.login().done( self.refresh );
+				}
+
+				if ( 'cheatin' === reason )
+					self.cheatin();
 			});
+		},
+
+		login: function() {
+			var previewer = this,
+				deferred, messenger, iframe;
+
+			if ( this._login )
+				return this._login;
+
+			deferred = $.Deferred();
+			this._login = deferred.promise();
+
+			messenger = new api.Messenger({
+				channel: 'login',
+				url:     api.settings.url.login
+			});
+
+			iframe = $('<iframe src="' + api.settings.url.login + '" />').appendTo( this.container );
+
+			messenger.targetWindow( iframe[0].contentWindow );
+
+			messenger.bind( 'login', function() {
+				iframe.remove();
+				messenger.destroy();
+				delete previewer._login;
+				deferred.resolve();
+			});
+
+			return this._login;
+		},
+
+		cheatin: function() {
+			$( document.body ).empty().addClass('cheatin').append( '<p>' + api.l10n.cheatin + '</p>' );
 		}
 	});
 
@@ -605,7 +662,8 @@
 			nonce: $('#_wpnonce').val(),
 
 			save: function() {
-				var query = $.extend( this.query(), {
+				var self  = this,
+					query = $.extend( this.query(), {
 						action: 'customize_save',
 						nonce:  this.nonce
 					}),
@@ -619,7 +677,23 @@
 					body.removeClass('saving');
 				});
 
-				request.done( function() {
+				request.done( function( response ) {
+					// Check if the user is logged out.
+					if ( '0' === response ) {
+						self.iframe.iframe.hide();
+						self.login().done( function() {
+							self.save();
+							self.iframe.iframe.show();
+						});
+						return;
+					}
+
+					// Check for cheaters.
+					if ( '-1' === response ) {
+						self.cheatin();
+						return;
+					}
+
 					api.trigger( 'saved' );
 				});
 			}
diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php
index 782ff6038d..d7be722f0d 100644
--- a/wp-includes/class-wp-customize-manager.php
+++ b/wp-includes/class-wp-customize-manager.php
@@ -31,6 +31,8 @@ final class WP_Customize_Manager {
 		require( ABSPATH . WPINC . '/class-wp-customize-section.php' );
 		require( ABSPATH . WPINC . '/class-wp-customize-control.php' );
 
+		add_filter( 'wp_die_handler', array( $this, 'wp_die_handler' ) );
+
 		add_action( 'setup_theme',  array( $this, 'setup_theme' ) );
 		add_action( 'wp_loaded',    array( $this, 'wp_loaded' ) );
 
@@ -52,16 +54,54 @@ final class WP_Customize_Manager {
 		add_action( 'customize_controls_enqueue_scripts', array( $this, 'enqueue_control_scripts' ) );
 	}
 
-	/**
-	 * Start preview and customize theme.
+ 	/**
+	 * Return true if it's an AJAX request.
 	 *
-	 * Check if customize query variable exist. Init filters to filter the current theme.
+	 * @since 3.4.0
+	 */
+	public function doing_ajax() {
+		return isset( $_POST['customized'] ) || ( defined( 'DOING_AJAX' ) && DOING_AJAX );
+	}
+
+	/**
+	 * Custom wp_die wrapper. Returns either the standard message for UI
+	 * or the AJAX message.
+	 *
+	 * @param  mixed $ajax_message AJAX return
+	 * @param  mixed $message      UI message
+	 *
+	 * @since 3.4.0
+	 */
+	private function wp_die( $ajax_message, $message ) {
+		if ( $this->doing_ajax() )
+			wp_die( $ajax_message );
+
+		wp_die( $message );
+	}
+
+	/**
+	 * Return the AJAX wp_die() handler if it's a customized request.
+	 *
+	 * @since 3.4.0
+	 */
+	public function wp_die_handler() {
+		if ( $this->doing_ajax() )
+			return '_ajax_wp_die_handler';
+
+		return '_default_wp_die_handler';
+	}
+	/**
+	* Start preview and customize theme.
+	*
+	* Check if customize query variable exist. Init filters to filter the current theme.
 	 *
 	 * @since 3.4.0
 	 */
 	public function setup_theme() {
-		if ( is_admin() && ! defined( 'DOING_AJAX' ) )
-			auth_redirect();
+		if ( is_admin() && ! $this->doing_ajax() )
+		    auth_redirect();
+		elseif ( $this->doing_ajax() && ! is_user_logged_in())
+		    wp_die( 0 );
 
 		send_origin_headers();
 
@@ -71,13 +111,13 @@ final class WP_Customize_Manager {
 
 		// You can't preview a theme if it doesn't exist, or if it is not allowed (unless active).
 		if ( ! $this->theme->exists() )
-			wp_die( __( 'Cheatin&#8217; uh?' ) );
+			$this->wp_die( -1, __( 'Cheatin&#8217; uh?' ) );
 
 		if ( $this->theme->get_stylesheet() != get_stylesheet() && ( ! $this->theme()->is_allowed() || ! current_user_can( 'switch_themes' ) ) )
-			wp_die( __( 'Cheatin&#8217; uh?' ) );
+			$this->wp_die( -1, __( 'Cheatin&#8217; uh?' ) );
 
 		if ( ! current_user_can( 'edit_theme_options' ) )
-			wp_die( __( 'Cheatin&#8217; uh?' ) );
+			$this->wp_die( -1, __( 'Cheatin&#8217; uh?' ) );
 
 		$this->start_previewing_theme();
 		show_admin_bar( false );
@@ -949,4 +989,4 @@ function maybe_hash_hex_color( $color ) {
 		return '#' . $unhashed;
 
 	return $color;
-}
\ No newline at end of file
+}
diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
index 49e30a98a4..dab58683e8 100644
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -305,6 +305,7 @@ function wp_default_scripts( &$scripts ) {
 		'saved'     => __( 'Saved' ),
 		'cancel'    => __( 'Cancel' ),
 		'close'     => __( 'Close' ),
+		'cheatin'   => __( 'Cheatin&#8217; uh?' ),
 	) );
 
 	if ( is_admin() ) {
diff --git a/wp-login.php b/wp-login.php
index ffe4e1e706..0b1df60781 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -39,7 +39,7 @@ if ( force_ssl_admin() && !is_ssl() ) {
  * @param WP_Error $wp_error Optional. WordPress Error Object
  */
 function login_header($title = 'Log In', $message = '', $wp_error = '') {
-	global $error, $interim_login, $current_site;
+	global $error, $interim_login, $current_site, $customize_login;
 
 	// Don't index any of these forms
 	add_action( 'login_head', 'wp_no_robots' );
@@ -68,6 +68,9 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
 		<meta name="viewport" content="width=320; initial-scale=0.9; maximum-scale=1.0; user-scalable=0;" /><?php
 	}
 
+	if ( $customize_login )
+		wp_enqueue_script( 'customize-base' );
+
 	do_action( 'login_enqueue_scripts' );
 	do_action( 'login_head' );
 
@@ -82,6 +85,10 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
 	$login_header_url   = apply_filters( 'login_headerurl',   $login_header_url   );
 	$login_header_title = apply_filters( 'login_headertitle', $login_header_title );
 
+	// Don't allow interim logins to navigate away from the page.
+	if ( $interim_login )
+		$login_header_url = '#';
+
 	?>
 	</head>
 	<body class="login<?php if ( wp_is_mobile() ) echo ' mobile'; ?>">
@@ -126,8 +133,13 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
  * @param string $input_id Which input to auto-focus
  */
 function login_footer($input_id = '') {
-	?>
+	global $interim_login;
+
+	// Don't allow interim logins to navigate away from the page.
+	if ( ! $interim_login ): ?>
 	<p id="backtoblog"><a href="<?php echo esc_url( home_url( '/' ) ); ?>" title="<?php esc_attr_e( 'Are you lost?' ); ?>"><?php printf( __( '&larr; Back to %s' ), get_bloginfo( 'title', 'display' ) ); ?></a></p>
+	<?php endif; ?>
+
 	</div>
 
 	<?php if ( !empty($input_id) ) : ?>
@@ -555,6 +567,7 @@ case 'login' :
 default:
 	$secure_cookie = '';
 	$interim_login = isset($_REQUEST['interim-login']);
+	$customize_login = isset( $_REQUEST['customize-login'] );
 
 	// If the user wants ssl but the session is not ssl, force a secure cookie.
 	if ( !empty($_POST['log']) && !force_ssl_admin() ) {
@@ -591,11 +604,22 @@ default:
 	if ( !is_wp_error($user) && !$reauth ) {
 		if ( $interim_login ) {
 			$message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
-			login_header( '', $message ); ?>
-			<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
-			<p class="alignright">
-			<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
-			</div></body></html>
+			login_header( '', $message );
+
+			if ( ! $customize_login ) : ?>
+				<script type="text/javascript">setTimeout( function(){window.close()}, 8000);</script>
+				<p class="alignright">
+				<input type="button" class="button-primary" value="<?php esc_attr_e('Close'); ?>" onclick="window.close()" /></p>
+<?php		endif;
+
+			?></div><?php
+
+			do_action('login_footer');
+
+			if ( $customize_login ) : ?>
+				<script type="text/javascript">setTimeout( function(){ new wp.customize.Messenger({ url: '<?php echo wp_customize_url(); ?>', channel: 'login' }).send('login') }, 1000 );</script>
+<?php		endif; ?>
+			</body></html>
 <?php		exit;
 		}
 
@@ -666,6 +690,9 @@ default:
 <?php	} else { ?>
 		<input type="hidden" name="redirect_to" value="<?php echo esc_attr($redirect_to); ?>" />
 <?php 	} ?>
+<?php   if ( $customize_login ) : ?>
+		<input type="hidden" name="customize-login" value="1" />
+<?php   endif; ?>
 		<input type="hidden" name="testcookie" value="1" />
 	</p>
 </form>