Switch to a 403 response code in places where it is more appropriate than a 500 due to permissions errors.

Fixes #10551
Props nacin

Built from https://develop.svn.wordpress.org/trunk@30356


git-svn-id: http://core.svn.wordpress.org/trunk@30355 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn 2014-11-16 06:16:22 +00:00
parent 5f30f13780
commit d88ed475b0
17 changed files with 31 additions and 32 deletions

View File

@ -739,7 +739,7 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
public function step_2() {
check_admin_referer('custom-header-upload', '_wpnonce-custom-header-upload');
if ( ! current_theme_supports( 'custom-header', 'uploads' ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
if ( empty( $_POST ) && isset( $_GET['file'] ) ) {
$attachment_id = absint( $_GET['file'] );
@ -890,10 +890,10 @@ wp_nonce_field( 'custom-header-options', '_wpnonce-custom-header-options' ); ?>
check_admin_referer( 'custom-header-crop-image' );
if ( ! current_theme_supports( 'custom-header', 'uploads' ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
if ( ! empty( $_POST['skip-cropping'] ) && ! ( current_theme_supports( 'custom-header', 'flex-height' ) || current_theme_supports( 'custom-header', 'flex-width' ) ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
if ( $_POST['oitar'] > 1 ) {
$_POST['x1'] = $_POST['x1'] * $_POST['oitar'];

View File

@ -13,7 +13,7 @@ define( 'IFRAME_REQUEST', true );
require_once( dirname( __FILE__ ) . '/admin.php' );
if ( ! current_user_can( 'customize' ) ) {
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
}
wp_reset_vars( array( 'url', 'return' ) );

View File

@ -9,7 +9,7 @@
/** WordPress Administration Bootstrap */
require_once( dirname( __FILE__ ) . '/admin.php' );
if ( !current_user_can('edit_posts') )
wp_die(__('Cheatin’ uh?'));
wp_die( __( 'Cheatin’ uh?' ), 403 );
$wp_list_table = _get_list_table('WP_Comments_List_Table');
$pagenum = $wp_list_table->get_pagenum();

View File

@ -18,7 +18,7 @@ if ( ! $tax )
wp_die( __( 'Invalid taxonomy' ) );
if ( ! current_user_can( $tax->cap->manage_terms ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
$wp_list_table = _get_list_table('WP_Terms_List_Table');
$pagenum = $wp_list_table->get_pagenum();
@ -47,7 +47,7 @@ case 'add-tag':
check_admin_referer( 'add-tag', '_wpnonce_add-tag' );
if ( !current_user_can( $tax->cap->edit_terms ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
$ret = wp_insert_term( $_POST['tag-name'], $taxonomy, $_POST );
$location = 'edit-tags.php?taxonomy=' . $taxonomy;
@ -83,7 +83,7 @@ case 'delete':
check_admin_referer( 'delete-tag_' . $tag_ID );
if ( !current_user_can( $tax->cap->delete_terms ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
wp_delete_term( $tag_ID, $taxonomy );
@ -95,7 +95,7 @@ case 'bulk-delete':
check_admin_referer( 'bulk-tags' );
if ( !current_user_can( $tax->cap->delete_terms ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
$tags = (array) $_REQUEST['delete_tags'];
foreach ( $tags as $tag_ID ) {
@ -133,7 +133,7 @@ case 'editedtag':
check_admin_referer( 'update-tag_' . $tag_ID );
if ( !current_user_can( $tax->cap->edit_terms ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
$tag = get_term( $tag_ID, $taxonomy );
if ( ! $tag )

View File

@ -25,7 +25,7 @@ if ( ! $post_type_object )
wp_die( __( 'Invalid post type' ) );
if ( ! current_user_can( $post_type_object->cap->edit_posts ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
$wp_list_table = _get_list_table('WP_Posts_List_Table');
$pagenum = $wp_list_table->get_pagenum();

View File

@ -27,7 +27,7 @@ function add_link() {
*/
function edit_link( $link_id = 0 ) {
if ( !current_user_can( 'manage_links' ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
$_POST['link_url'] = esc_html( $_POST['link_url'] );
$_POST['link_url'] = esc_url($_POST['link_url']);

View File

@ -32,10 +32,10 @@ $post_id = isset($post_id)? (int) $post_id : 0;
// Require an ID for the edit screen.
if ( isset($action) && $action == 'edit' && !$ID )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
if ( ! empty( $_REQUEST['post_id'] ) && ! current_user_can( 'edit_post' , $_REQUEST['post_id'] ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
// Upload type: image, video, file, ..?
if ( isset($_GET['type']) ) {

View File

@ -20,7 +20,7 @@ if ( ! current_theme_supports( 'menus' ) && ! current_theme_supports( 'widgets'
// Permissions Check
if ( ! current_user_can('edit_theme_options') )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
wp_enqueue_script( 'nav-menu' );

View File

@ -133,7 +133,7 @@ if ( $action ) {
// If the user doesn't already belong to the blog, bail.
if ( !is_user_member_of_blog( $user_id ) )
wp_die(__('Cheatin’ uh?'));
wp_die( __( 'Cheatin’ uh?' ), 403 );
$user = get_userdata( $user_id );
$user->set_role( $_REQUEST['new_role'] );

View File

@ -45,7 +45,7 @@ if ( empty($option_page) ) {
}
if ( !current_user_can( $capability ) )
wp_die(__('Cheatin’ uh?'));
wp_die( __( 'Cheatin’ uh?' ), 403 );
// Handle admin email change requests
if ( is_multisite() ) {
@ -69,7 +69,7 @@ if ( is_multisite() ) {
}
if ( is_multisite() && !is_super_admin() && 'update' != $action )
wp_die(__('Cheatin’ uh?'));
wp_die( __( 'Cheatin’ uh?' ), 403 );
$whitelist_options = array(
'general' => array( 'blogname', 'blogdescription', 'gmt_offset', 'date_format', 'time_format', 'start_of_week', 'timezone_string', 'WPLANG' ),

View File

@ -48,7 +48,7 @@ $title = $post_type_object->labels->add_new_item;
$editing = true;
if ( ! current_user_can( $post_type_object->cap->edit_posts ) || ! current_user_can( $post_type_object->cap->create_posts ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
// Schedule auto-draft cleanup
if ( ! wp_next_scheduled( 'wp_scheduled_auto_draft_delete' ) )

View File

@ -14,7 +14,7 @@ require_once( dirname( __FILE__ ) . '/admin.php' );
header('Content-Type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));
if ( ! current_user_can( 'edit_posts' ) || ! current_user_can( get_post_type_object( 'post' )->cap->create_posts ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
/**
* Press It form handler.

View File

@ -10,14 +10,14 @@
require_once( dirname( __FILE__ ) . '/admin.php' );
if ( !current_user_can('switch_themes') && !current_user_can('edit_theme_options') )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) {
if ( 'activate' == $_GET['action'] ) {
check_admin_referer('switch-theme_' . $_GET['stylesheet']);
$theme = wp_get_theme( $_GET['stylesheet'] );
if ( ! $theme->exists() || ! $theme->is_allowed() )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
switch_theme( $theme->get_stylesheet() );
wp_redirect( admin_url('themes.php?activated=true') );
exit;
@ -25,7 +25,7 @@ if ( current_user_can( 'switch_themes' ) && isset($_GET['action'] ) ) {
check_admin_referer('delete-theme_' . $_GET['stylesheet']);
$theme = wp_get_theme( $_GET['stylesheet'] );
if ( !current_user_can('delete_themes') || ! $theme->exists() )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
delete_theme($_GET['stylesheet']);
wp_redirect( admin_url('themes.php?deleted=true') );
exit;

View File

@ -11,9 +11,9 @@ require_once( dirname( __FILE__ ) . '/admin.php' );
if ( is_multisite() ) {
if ( ! current_user_can( 'create_users' ) && ! current_user_can( 'promote_users' ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
} elseif ( ! current_user_can( 'create_users' ) ) {
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
}
if ( is_multisite() ) {
@ -55,7 +55,7 @@ if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
}
if ( ! current_user_can('promote_user', $user_details->ID) )
wp_die(__('Cheatin’ uh?'));
wp_die( __( 'Cheatin’ uh?' ), 403 );
// Adding an existing user to this blog
$new_user_email = $user_details->user_email;
@ -92,7 +92,7 @@ Please click the following link to confirm the invite:
check_admin_referer( 'create-user', '_wpnonce_create-user' );
if ( ! current_user_can('create_users') )
wp_die(__('Cheatin’ uh?'));
wp_die( __( 'Cheatin’ uh?' ), 403 );
if ( ! is_multisite() ) {
$user_id = edit_user();

View File

@ -10,7 +10,7 @@
require_once( dirname( __FILE__ ) . '/admin.php' );
if ( ! current_user_can( 'list_users' ) )
wp_die( __( 'Cheatin’ uh?' ) );
wp_die( __( 'Cheatin’ uh?' ), 403 );
$wp_list_table = _get_list_table('WP_Users_List_Table');
$pagenum = $wp_list_table->get_pagenum();
@ -128,7 +128,7 @@ case 'promote':
// If the user doesn't already belong to the blog, bail.
if ( is_multisite() && !is_user_member_of_blog( $id ) )
wp_die(__('Cheatin’ uh?'));
wp_die( __( 'Cheatin’ uh?' ), 403 );
$user = get_userdata( $id );
$user->set_role($_REQUEST['new_role']);

View File

@ -13,7 +13,7 @@ require_once( dirname( __FILE__ ) . '/admin.php' );
require_once(ABSPATH . 'wp-admin/includes/widgets.php');
if ( ! current_user_can('edit_theme_options') )
wp_die( __( 'Cheatin’ uh?' ));
wp_die( __( 'Cheatin’ uh?' ), 403 );
$widgets_access = get_user_setting( 'widgets_access' );
if ( isset($_GET['widgets-access']) ) {

View File

@ -2312,7 +2312,6 @@ function get_allowed_mime_types( $user = null ) {
* @param string $action The nonce action.
*/
function wp_nonce_ays( $action ) {
$title = __( 'WordPress Failure Notice' );
if ( 'log-out' == $action ) {
$html = sprintf( __( 'You are attempting to log out of %s' ), get_bloginfo( 'name' ) ) . '</p><p>';
$redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
@ -2323,7 +2322,7 @@ function wp_nonce_ays( $action ) {
$html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
}
wp_die( $html, $title, array('response' => 403) );
wp_die( $html, __( 'WordPress Failure Notice' ), 403 );
}
/**