Permalink
Browse files

Add some CYA cap checks.

git-svn-id: http://svn.automattic.com/wordpress/branches/2.8@11762 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
1 parent 0bdae51 commit 82fbf6950d26ad1692203c6e4e6bb35891c9559e ryan committed Aug 1, 2009
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('Discussion Settings');
$parent_file = 'options-general.php';
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('./admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('General Settings');
$parent_file = 'options-general.php';
/* translators: date and time format for exact current time, mainly about timezones, see http://php.net/date */
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('Media Settings');
$parent_file = 'options-general.php';
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('Miscellaneous Settings');
$parent_file = 'options-general.php';
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('Permalink Settings');
$parent_file = 'options-general.php';
@@ -9,6 +9,9 @@
/** Load WordPress Administration Bootstrap */
require_once('./admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('Privacy Settings');
$parent_file = 'options-general.php';
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('Reading Settings');
$parent_file = 'options-general.php';
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( ! current_user_can('manage_options') )
+ wp_die(__('You do not have sufficient permissions to manage options for this blog.'));
+
$title = __('Writing Settings');
$parent_file = 'options-general.php';
View
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( ! current_user_can('activate_plugins') )
+ wp_die(__('You do not have sufficient permissions to manage plugins for this blog.'));
+
if ( isset($_POST['clear-recent-list']) )
$action = 'clear-recent-list';
elseif ( !empty($_REQUEST['action']) )
@@ -37,6 +40,9 @@
if ( !empty($action) ) {
switch ( $action ) {
case 'activate':
+ if ( ! current_user_can('activate_plugins') )
+ wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+
check_admin_referer('activate-plugin_' . $plugin);
$result = activate_plugin($plugin, 'plugins.php?error=true&plugin=' . $plugin);
@@ -53,6 +59,9 @@
exit;
break;
case 'activate-selected':
+ if ( ! current_user_can('activate_plugins') )
+ wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+
check_admin_referer('bulk-manage-plugins');
$plugins = (array) $_POST['checked'];
@@ -75,6 +84,9 @@
exit;
break;
case 'error_scrape':
+ if ( ! current_user_can('activate_plugins') )
+ wp_die(__('You do not have sufficient permissions to activate plugins for this blog.'));
+
check_admin_referer('plugin-activation-error_' . $plugin);
$valid = validate_plugin($plugin);
@@ -88,13 +100,19 @@
exit;
break;
case 'deactivate':
+ if ( ! current_user_can('activate_plugins') )
+ wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
+
check_admin_referer('deactivate-plugin_' . $plugin);
deactivate_plugins($plugin);
update_option('recently_activated', array($plugin => time()) + (array)get_option('recently_activated'));
wp_redirect("plugins.php?deactivate=true&plugin_status=$status&paged=$page");
exit;
break;
case 'deactivate-selected':
+ if ( ! current_user_can('activate_plugins') )
+ wp_die(__('You do not have sufficient permissions to deactivate plugins for this blog.'));
+
check_admin_referer('bulk-manage-plugins');
$plugins = (array) $_POST['checked'];
View
@@ -9,6 +9,9 @@
/** WordPress Administration Bootstrap */
require_once('admin.php');
+if ( !current_user_can('switch_themes') )
+ wp_die( __( 'Cheatin’ uh?' ) );
+
if ( isset($_GET['action']) ) {
if ( 'activate' == $_GET['action'] ) {
check_admin_referer('switch-theme_' . $_GET['template']);
View
@@ -17,6 +17,7 @@
// wp-admin pages are checked more carefully
preg_match('#/wp-admin/?(.*?)$#i', $PHP_SELF, $self_matches);
$pagenow = $self_matches[1];
+ $pagenow = trim($pagenow, '/');
$pagenow = preg_replace('#\?.*?$#', '', $pagenow);
if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) {
$pagenow = 'index.php';

0 comments on commit 82fbf69

Please sign in to comment.