Plugin/Theme Uploads: New capabilities; unify UIs; ensure compatibility with old filters.

Introduce upload_plugins and upload_themes capabilities to allow blocking of plugin and theme uploads, versus the old hacky (and not secure) ways of just hiding UI tabs. These are simply meta capabilities that map to install_plugins and install_themes.
 
Also:
 * Use the same nice design for the plugin upload screen as the theme upload screen.
 * Better compatibility for the old install_themes_tabs filter added in [29002]. see #28578.
 * Ensure using the install_plugins_tabs filter to remove the upload tab removes the new button.
 * Use 'Add Plugins' instead of 'Install Plugins' to match 'Add Themes'.

fixes #29236.

Built from https://develop.svn.wordpress.org/trunk@29634


git-svn-id: http://core.svn.wordpress.org/trunk@29408 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/css/themes-rtl.css

@@ -1091,7 +1091,8 @@ body.folded .theme-overlay .theme-wrap {
 .theme-install-php.show-upload-theme a.browse-themes {
 	display: inline;
 }
-.upload-theme {
+.upload-theme,
+.upload-plugin {
 	-webkit-box-sizing: border-box;
 	-moz-box-sizing: border-box;
 	box-sizing: border-box;
@@ -1103,17 +1104,20 @@ body.folded .theme-overlay .theme-wrap {
 	position: relative;
 	top: 10px;
 }
-body.show-upload-theme .upload-theme {
+body.show-upload-theme .upload-theme,
+.upload-plugin {
 	display: block;
 }
-.upload-theme .wp-upload-form {
+.upload-theme .wp-upload-form,
+.upload-plugin .wp-upload-form {
 	background: #fafafa;
 	border: 1px solid #e5e5e5;
 	padding: 30px;
 	margin: 30px auto;
 	max-width: 380px;
 }
-.upload-theme .install-help {
+.upload-theme .install-help,
+.upload-plugin .install-help {
 	color: #999;
 	font-size: 18px;
 	font-style: normal;

wp-admin/css/themes.css

@@ -1091,7 +1091,8 @@ body.folded .theme-overlay .theme-wrap {
 .theme-install-php.show-upload-theme a.browse-themes {
 	display: inline;
 }
-.upload-theme {
+.upload-theme,
+.upload-plugin {
 	-webkit-box-sizing: border-box;
 	-moz-box-sizing: border-box;
 	box-sizing: border-box;
@@ -1103,17 +1104,20 @@ body.folded .theme-overlay .theme-wrap {
 	position: relative;
 	top: 10px;
 }
-body.show-upload-theme .upload-theme {
+body.show-upload-theme .upload-theme,
+.upload-plugin {
 	display: block;
 }
-.upload-theme .wp-upload-form {
+.upload-theme .wp-upload-form,
+.upload-plugin .wp-upload-form {
 	background: #fafafa;
 	border: 1px solid #e5e5e5;
 	padding: 30px;
 	margin: 30px auto;
 	max-width: 380px;
 }
-.upload-theme .install-help {
+.upload-theme .install-help,
+.upload-plugin .install-help {
 	color: #999;
 	font-size: 18px;
 	font-style: normal;

wp-admin/includes/class-wp-plugin-install-list-table.php

@@ -69,8 +69,13 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 		if ( $tab === 'beta' || false !== strpos( $GLOBALS['wp_version'], '-' ) ) {
 			$tabs['beta']      = _x( 'Beta Testing', 'Plugin Installer' );
 		}
+		if ( current_user_can( 'upload_plugins' ) ) {
+			// No longer a real tab. Here for filter compatibility.
+			// Gets juggled into $nonmenu_tabs below.
+			$tabs['upload'] = __( 'Upload Plugin' );
+		}
 
-		$nonmenu_tabs = array( 'upload', 'plugin-information' ); //Valid actions to perform which do not have a Menu item.
+		$nonmenu_tabs = array( 'plugin-information' ); // Valid actions to perform which do not have a Menu item.
 
 		/**
 		 * Filter the tabs shown on the Plugin Install screen.
@@ -91,6 +96,11 @@ class WP_Plugin_Install_List_Table extends WP_List_Table {
 		 */
 		$nonmenu_tabs = apply_filters( 'install_plugins_nonmenu_tabs', $nonmenu_tabs );
 
+		if ( isset( $tabs['upload'] ) ) {
+			unset( $tabs['upload'] );
+			$nonmenu_tabs[] = 'upload';
+		}
+
 		// If a non-valid menu tab has been selected, And it's not a non-menu action.
 		if ( empty( $tab ) || ( !isset( $tabs[ $tab ] ) && !in_array( $tab, (array) $nonmenu_tabs ) ) )
 			$tab = key( $tabs );

wp-admin/includes/plugin-install.php

@@ -195,7 +195,7 @@ function install_search_form( $type_selector = true ) {
  */
 function install_plugins_upload( $page = 1 ) {
 ?>
-	<h4><?php _e('Install a plugin in .zip format'); ?></h4>
+<div class="upload-plugin">
 	<p class="install-help"><?php _e('If you have a plugin in a .zip format, you may install it by uploading it here.'); ?></p>
 	<form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo self_admin_url('update.php?action=upload-plugin'); ?>">
 		<?php wp_nonce_field( 'plugin-upload'); ?>
@@ -203,6 +203,7 @@ function install_plugins_upload( $page = 1 ) {
 		<input type="file" id="pluginzip" name="pluginzip" />
 		<?php submit_button( __( 'Install Now' ), 'button', 'install-plugin-submit', false ); ?>
 	</form>
+</div>
 <?php
 }
 add_action('install_plugins_upload', 'install_plugins_upload', 10, 1);

wp-admin/plugin-install.php

@@ -26,7 +26,7 @@ $wp_list_table = _get_list_table('WP_Plugin_Install_List_Table');
 $pagenum = $wp_list_table->get_pagenum();
 $wp_list_table->prepare_items();
 
-$title = __('Install Plugins');
+$title = __( 'Add Plugins' );
 $parent_file = 'plugins.php';
 
 wp_enqueue_script( 'plugin-install' );
@@ -75,16 +75,26 @@ include(ABSPATH . 'wp-admin/admin-header.php');
 <div class="wrap">
 <h2>
 	<?php
-		echo esc_html( $title );
-		$href = self_admin_url( 'plugin-install.php?tab=upload' );
+	echo esc_html( $title );
+	if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_plugins' ) ) {
+		if ( $tab === 'upload' ) {
+			$href = self_admin_url( 'plugin-install.php' );
+			$text = _x( 'Browse', 'plugins' );
+		} else {
+			$href = self_admin_url( 'plugin-install.php?tab=upload' );
+			$text = __( 'Upload Plugin' );
+		}
+		echo ' <a href="' . $href . '" class="upload add-new-h2">' . $text . '</a>';
+	}
 	?>
-	<a href="<?php echo $href; ?>" class="upload add-new-h2"><?php _e( 'Upload Plugin' ); ?></a>
 </h2>
 
-<?php $wp_list_table->views(); ?>
-
-<br class="clear" />
 <?php
+if ( $tab !== 'upload' ) {
+	$wp_list_table->views();
+	echo '<br class="clear" />';
+}
+
 /**
  * Fires after the plugins list table in each tab of the Install Plugins screen.
  *

wp-admin/theme-install.php

@@ -27,11 +27,6 @@ if ( ! is_network_admin() ) {
 	$submenu_file = 'themes.php';
 }
 
-$tabs = array(
-	'upload'        => __( 'Upload Theme' ),
-	'browse-themes' => _x( 'Browse', 'themes' ),
-);
-
 $sections = array(
 	'featured' => __( 'Featured Themes' ),
 	'popular'  => __( 'Popular Themes' ),
@@ -113,22 +108,24 @@ include(ABSPATH . 'wp-admin/admin-header.php');
 
 ?>
 <div class="wrap">
-	<h2>
-		<?php echo esc_html( $title ); ?>
-		<?php
-		/**
-		 * Filter the tabs shown on the Install Themes screen.
-		 * 
-		 * @since 2.8.0
-		 * @param array $tabs The tabs shown on the Install Themes screen. Defaults are
-		 *                    'upload' and 'browse-themes'.
-		 */
-		$tabs = apply_filters( 'install_themes_tabs', $tabs );
-		foreach ( $tabs as $tab_slug => $tab_name ) {
-			echo '<a href="#" class="' . esc_attr( $tab_slug ) . ' add-new-h2">' . $tab_name . '</a>';
-		}
-		?>
-	</h2>
+	<h2><?php
+	echo esc_html( $title );
+
+	/**
+	 * Filter the tabs shown on the Add Themes screen.
+	 *
+	 * This filter is for backwards compatibility only,
+	 * for the suppression of the upload tab.
+	 *
+	 * @since 2.8.0
+	 * @param array $tabs The tabs shown on the Add Themes screen. Default is 'upload'.
+	 */
+	$tabs = apply_filters( 'install_themes_tabs', array( 'upload' => __( 'Upload Theme' ) ) );
+	if ( ! empty( $tabs['upload'] ) && current_user_can( 'upload_themes' ) ) {
+		echo ' <a href="#" class="upload add-new-h2">' . __( 'Upload Theme' ) . '</a>';
+		echo ' <a href="#" class="browse-themes add-new-h2">' . _x( 'Browse', 'themes' ) . '</a>';
+	}
+	?></h2>
 
 	<div class="upload-theme">
 	<?php install_themes_upload(); ?>

wp-admin/update.php

@@ -123,8 +123,9 @@ if ( isset($_GET['action']) ) {
 
 	} elseif ( 'upload-plugin' == $action ) {
 
-		if ( ! current_user_can('install_plugins') )
+		if ( ! current_user_can( 'upload_plugins' ) ) {
 			wp_die( __( 'You do not have sufficient permissions to install plugins on this site.' ) );
+		}
 
 		check_admin_referer('plugin-upload');
 
@@ -227,8 +228,9 @@ if ( isset($_GET['action']) ) {
 
 	} elseif ( 'upload-theme' == $action ) {
 
-		if ( ! current_user_can('install_themes') )
+		if ( ! current_user_can( 'upload_themes' ) ) {
 			wp_die( __( 'You do not have sufficient permissions to install themes on this site.' ) );
+		}
 
 		check_admin_referer('theme-upload');
 

wp-includes/capabilities.php

@@ -1262,18 +1262,25 @@ function map_meta_cap( $cap, $user_id ) {
 	case 'update_plugins':
 	case 'delete_plugins':
 	case 'install_plugins':
+	case 'upload_plugins':
 	case 'update_themes':
 	case 'delete_themes':
 	case 'install_themes':
+	case 'upload_themes':
 	case 'update_core':
 		// Disallow anything that creates, deletes, or updates core, plugin, or theme files.
 		// Files in uploads are excepted.
-		if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
+		if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) {
 			$caps[] = 'do_not_allow';
-		elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+		} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
 			$caps[] = 'do_not_allow';
-		else
+		} elseif ( 'upload_themes' === $cap ) {
+			$caps[] = 'install_themes';
+		} elseif ( 'upload_plugins' === $cap ) {
+			$caps[] = 'install_plugins';
+		} else {
 			$caps[] = $cap;
+		}
 		break;
 	case 'activate_plugins':
 		$caps[] = $cap;

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.0-beta4-20140826';
+$wp_version = '4.0-beta4-20140827';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.